The Inquirer-Home

Major flaw found in Oauth and OpenID affects Google, Microsoft and Facebook

If you login with it at your social networks, you're at risk
Fri May 02 2014, 14:45
Concept image representing virus malware

A MAJOR VULNERABILITY has been discovered in the Oauth and OpenID services designed to protect user credentials.

The login tools create tokens allowing users to login to websites including Facebook, Google, and Linkedin and those owned by Microsoft, using centralised credentials, without the websites having direct access to user names or passwords.

Wang Jing, a PhD student at Nanyang Technical University, Singapore discovered that by using the known "Covert Redirect" exploit, when the pop-up appears from the credential website, even though the credential website is genuine, when the victim hits "enter" the information is sent to the attacker instead of the credential website.

According to Wang's blog, Tetraph, fixing the problem is going to be very difficult. He says, "The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons.

"This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."

So many of the worlds biggest websites either use Oauth or provide Oauth credentials that the potential for this problem to spiral out of control is substantial.

Is it another Heartbleed? Probably not, but with websites so far showing very little interest in plugging the leak, now that it is public knowledge it has the potential to become a big problem.

This story is still developing. We've requested comment and will update this story as we receive more information. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?