Security Flaw Found In OAuth And OpenID: Here’s What It Means For You

Security Flaw Found In OAuth And OpenID: Here’s What It Means For You

Another day, another major internet security flaw (step aside, Heartbleed). A bug has been found in OpenID and OAuth, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Here’s what you need to know about the security flaw.

What Are OpenID and OAuth?

As we’ve explained before, OAuth — and its alternative OpenID — let you log into sites or apps using your Google, Twitter, Facebook or other credentials, without having to create yet another account or give the app more permission than necessary. OAuth and OpenID, in essence, authenticate you with the site or tell the site you are who you say you are and let you log in without having to enter a username and password.

Because they make logging into sites easy (and webmasters don’t have to maintain their own login systems), OAuth and OpenID are used widely across the web by sites including LinkedIn, PayPal, Yahoo, and many more.

What Is This New Vulnerability?

It might not actually be a new vulnerability, but it was just discovered by Wang Jing, a Ph.D student at Nanyang Technological University. Called the “Covert Redirect” flaw, the vulnerability allows hackers to trick users into authorising an app or site using malicious phishing links. For example, if you visit a site and click a button to log in with Google or Facebook, you’ll see the familiar authorisation popup. If you authorise the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.

Perhaps the scariest thing is the Covert Redirect flaw doesn’t use a fake domain that might be spotted by more savvy surfers, but instead uses the real site address that you’re trying to log into. So it’s very hard to detect.

What You Can Do About It

Unfortunately, CNET reports that this is not easy for sites to fix and third-party sites have “little incentive” to do so:

Jeremiah Grossman, founder and interim CEO at WhiteHat Security, a website security firm, agreed with Wang’s findings after looking at the data.

“While I can’t be 100 per cent certain, I could have sworn I’ve seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX,” Grossman said.

“This is to say, it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

Until we know more, you’re best off being extra careful about logging into sites using Twitter, Google or Facebook. As CNET advises, watch out for links that immediately ask you to log into them and close the window to prevent the redirection attack. As always, be careful about the sites and links you visit.

Serious security flaw in OAuth, OpenID discovered [CNET]


  • I can’t think of any reason other than laziness that anyone would let themselves log in to online site A using online site B’s credentials. Use a different password for every site, inconvenient or not, people.

    • Some sites don’t give you any option. You are forced to sign in with fac or twitter. I just hit the back button.

      • That would be, like, disqus? I simply wouldn’t use a site that required me to sign in with a FB or Twitter ID, as to me those orgs are far from trustworthy where my security is concerned.

Show more comments

Comments are closed.

Log in to comment on this story!