A MAJOR VULNERABILITY has been discovered in the Oauth and OpenID services designed to protect user credentials.
The login tools create tokens allowing users to login to websites including Facebook, Google, and Linkedin and those owned by Microsoft, using centralised credentials, without the websites having direct access to user names or passwords.
Wang Jing, a PhD student at Nanyang Technical University, Singapore discovered that by using the known "Covert Redirect" exploit, when the pop-up appears from the credential website, even though the credential website is genuine, when the victim hits "enter" the information is sent to the attacker instead of the credential website.
According to Wang's blog, Tetraph, fixing the problem is going to be very difficult. He says, "The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons.
"This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."
So many of the worlds biggest websites either use Oauth or provide Oauth credentials that the potential for this problem to spiral out of control is substantial.
Is it another Heartbleed? Probably not, but with websites so far showing very little interest in plugging the leak, now that it is public knowledge it has the potential to become a big problem.
This story is still developing. We've requested comment and will update this story as we receive more information. µ