AAPL Stock: 117.81 ( -0.22 )

Printed from

OAuth, OpenID 'covert redirect' flaw discovered; hard to implement fix

updated 11:55 am EDT, Fri May 2, 2014

Google, Microsoft, Facebook all potentially affected by attack vector

Under scrutiny from security researchers after the discovery of Heartbleed, another significant problem has been identified in open source security measures. Authentication tools OAuth and OpenID have been found to be victim to a "covert redirect" flaw, with sites such as Google, PayPal, Yahoo, Facebook, and Microsoft's Hotmail subject to attack.

The flaw manifests itself as a login popup based on the affected site's domain address. A user clicking on a phishing link will get a window purporting to be from the faked credential holder, such as Facebook, with the covert redirect flaw using the actual site address for authentication, making identification of a redirect that much harder. Any login credentials are then redirected, and released to the malicious coder, rather than sent to the legitimate site for authentication.

Ph.D student Wang Jing of the Nanyang Technological University in Singapore discovered the vector. Wang has reported his findings to Facebook, LinkedIn, and Microsoft, and has received little enthusiasm from any of the companies he's spoken with: LinkedIn plans to publish a blog post on the matter "shortly," but promised no action. Google informed him that the problem was being tracked. Microsoft claimed that they weren't subject to the flaw. Facebook said that they were aware of the problem, "understood the risks associated with OAuth 2.0" and a fix was "something that can't be accomplished in the short term."

Paypal Chief Technology Officer James Barrese told Electronista in a statement that when PayPal implemented OAuth2.0/OpenID, "we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability."

Code verification company Veracode Chief Technology Officer Chris Wysopal told CNet that "given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service."

WhiteHat Security founder Jeremiah Grossman examined Wang's findings. He noted that "I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known 'wontfix.' This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience." He added that in his view, the problem was "just another example that Web security is fundamentally broken, and the powers that be have little incentive to address the inherent flaws."

by MacNN Staff



  1. Steve Wilkinson

    Dedicated MacNNer

    Joined: 12-19-01

    Yep, not only is this whole 'single sign on' thing a bad idea for social engineering reasons (i.e.: phishing training), with an added security flaw, it becomes even more dangerous.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented