updated 11:55 am EDT, Fri May 2, 2014
Google, Microsoft, Facebook all potentially affected by attack vector
Under scrutiny from security researchers after the discovery of Heartbleed, another significant problem has been identified in open source security measures. Authentication tools OAuth and OpenID have been found to be victim to a "covert redirect" flaw, with sites such as Google, PayPal, Yahoo, Facebook, and Microsoft's Hotmail subject to attack.
The flaw manifests itself as a login popup based on the affected site's domain address. A user clicking on a phishing link will get a window purporting to be from the faked credential holder, such as Facebook, with the covert redirect flaw using the actual site address for authentication, making identification of a redirect that much harder. Any login credentials are then redirected, and released to the malicious coder, rather than sent to the legitimate site for authentication.
Ph.D student Wang Jing of the Nanyang Technological University in Singapore discovered the vector. Wang has reported his findings to Facebook, LinkedIn, and Microsoft, and has received little enthusiasm from any of the companies he's spoken with: LinkedIn plans to publish a blog post on the matter "shortly," but promised no action. Google informed him that the problem was being tracked. Microsoft claimed that they weren't subject to the flaw. Facebook said that they were aware of the problem, "understood the risks associated with OAuth 2.0" and a fix was "something that can't be accomplished in the short term."
Paypal Chief Technology Officer James Barrese told Electronista in a statement that when PayPal implemented OAuth2.0/OpenID, "we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability."
Code verification company Veracode Chief Technology Officer Chris Wysopal told CNet that "given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service."
WhiteHat Security founder Jeremiah Grossman examined Wang's findings. He noted that "I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known 'wontfix.' This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience." He added that in his view, the problem was "just another example that Web security is fundamentally broken, and the powers that be have little incentive to address the inherent flaws."