Only a month after Heartbleed almost turned the Internet upside down, another major security flaw hits the limelight - one that could allow hackers to obtain a user's login information, exploiting login standards used by major websites.
The vulnerability targets OpenID and OAuth, two open-source login tools that allows users to sign up or sign in at other websites using their existing information on other websites, such as Facebook, Google, Twitter or Microsoft.
Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, claims to have discovered the vulnerability, which he now calls Covert Redirect. The flaw is based on a well-known exploit parameter that lets it to masquerade as a pop-up login window based on an affected website.
For example, when a user clicks on a suspicious-looking link sent to him through email or instant messaging, the link shows up a pop-up window with a login used by a trusted website, such as Facebook. The pop-up asks the user to authorize the app by logging in with his Facebook information.
If the user authenticates his login, his personal information, such as his email address, password and contact list, is then sent over to the attacker's website and not to Facebook. It is also possible that it could provide the attacker full control of the user's Facebook account.
Regardless of whether the user authorizes the app or not, the website then redirects to another website that can potentially do further damage. It is important to note that the attack uses the actual website address and not a fake domain as phishers typically do.
"The path of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks," writes Jing on the Covert Redirect website. "However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."
Covert Redirect, however, is no Heartbleed and Jing is not the first to discover the flaw, which has already been addressed by OAuth 2.0 developer Alex Bilbie and a number of affected websites.
Back in March 2013, Facebook security consultants Egor Homakov and Nir Goldshlager demonstrated how attackers can illegally obtain Facebook login information by tinkering with OAuth's redirect_uri parameter.
In response to Homakov's discovery, Bilbie said he had already devised a way to mitigate the flaw and any further problems arising from it are due to website implementations and not the OAuth framework itself.
"My OAuth 2.0 server library is not vulnerable to the aforementioned attack as it strictly validates and verifies every parameter that is sent to it and redirect URIs are whitelisted on the server," Bilbie said.
The solution, as Jing also recommends, is for the affected website to require all apps to use a whitelist of redirect URIs to prevent future attacks from a dynamic URI.
Affected websites such as LinkedIn and PayPal announced that they have already updated their implementations to address the flaw. Facebook, however, is not as eager to work on updates, telling Jing that they "understand the risks associated with OAuth 2.0. However, short of forcing every single application on the platform to use a whitelist, it isn't something that can be accomplished in the short term."