A security flaw in widely used open-source software puts countless websites at risk. Heartbleed?
No, now it’s authentication software OpenID and authorization software OAuth.
The vulnerability was first discovered by Wang Jing, a doctoral student at Singapore’s Nanyang Technological University.
When the flaw he calls Covert Redirect is exploited, you might click on a phishing link. It shows a popup window from a trusted site, and asks you to authorize a new app using, say, your Facebook login. But it then grabs your personal info — such as email address, birth date, or contacts — and sends it to the attacker.
OpenID provides one login for a variety of sites, and is used to authenticate that you are who you say you are. OAuth authorizes access so that, say, one website can get your information elsewhere.
Wang told reporters he’s contacted Facebook. Reps for the social network said they “understood the risks associated with OAuth 2.0,” but fixing the vulnerability was not going to happen soon. Wang also said he has reported the problem to Google, LinkedIn, and Microsoft.
A few of the many other potentially affected sites include Yahoo and PayPal.
How to fix this? Wang writes on his blog:
The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.
Bogdan Botezatu, senior e-threat analyst at BitDefender in Romania, told VentureBeat:
What these (the providers) should have done is to whitelist these redirects to ensure that the user’s token returns to the right website. This is a discussion that has been going on for more than five years now, but providers and app developers are pointing hands at each other rather than find a viable fix that won’t break things in the market.
To stay protected, BitDefender recommends:
Users should never click URLs that show up in spam or shady IM conversations and, most importantly, should not perform any authentication or authorization request that pops up unexpectedly.
Since this is another security issue in widely used open source software, is it Heartbleed II?
Avivah Litan, a security analyst with Gartner, told VentureBeat it’s not, because, while “identity theft is terrible for the individual,” this is not a threat to institutions the way OpenSSL’s vulnerability could be. “OpenID is not used in critical, high assurance systems [like OpenSSL].”
In other words, she noted, “The Bank of America is not going to rely on social IDs.”
Is this another black mark against open source?
Litan pointed out, “We’ve just seen Microsoft’s [Internet Explorer] vulnerability, so it’s not just open source” that can have problems. But she added that Heartbleed — and now this threat — point toward the same direction.
“We have to spend more money on open-source [testing and security],” Litan said, as Linux Foundation has now begun to do.
“This free community [oversight] isn’t going to cut it anymore,” she told us.