Covert Redirect, a recently found security flaw is not as bad as Heartbleed vulnerability and it won’t become the next big headache, according to the industry experts and security research firms.
Following the Heartbleed bug, Covert Redirect has been discovered in OpenID and OAuth 2.0, where attackers could misuse your credentials from most visited websites such as Facebook, Twitter, Microsoft and Google.
Many security outlets referred the flaw as next Heartbleed and now many firms comes out talking about the Covert Redirect and said that this isn’t going to be as bad as Heartbleed.
Recently, the Hearbleed bug has made several institutes and governmental services to reset all of their users’ passwords and many of them has already stopped some critical services until the counter measure has been take in their systems.
Symantec Security has said that Covert Redirect is not as bad as Heartbleed and it’s just a security flaw in the implementation part of OAuth by service providers.
Symantec explained the following in its blog post:
Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers. Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.
Symantec also pointed than there will be no patch to this flaw from OAuth-end, it’ll be service providers’ (websites and apps) responsibility to securely implement counter measures to resolve this Covert Redirect flaw.
Danny Thorpe who works as a XACML authorization management architecture and tools at Dell has said in a blog post:
Covert Redirect is not a vulnerability of OAuth itself. The exploit requires the use of an open redirect on your client web site. If you have a URL on your web site that blindly redirects the browser to whatever URL is encoded in the parameters AND you forward URL query params to the redirected page as well, then you have a massive security hole in your web site that can be exploited to capture user personal data and control of the user’s account on your site.
OpenID Foundation board member John Bradley has just “ignored” the flaw and said that allowing an attacker to specify any part of a redirect_uri will cause trouble.
I hope Wang Jing (who discovered the flaw) enjoys his moment of fame for getting people excited about this, but I am not giving him any credit for new work on this attack.
Wang Jing explained the Covert Redirect security flaw as “very serious” in his YouTube video, which is now embedded below for your convenience.
Hence, this is not a serious security threat to worry about, at least, the end users. Stay tuned on The Next Digit for more updates on this story.