Major Security Hole Found in Popular Login Protocols

A security flaw has been found that could possibly have allowed hackers to steal personal data from users. The OAuth and OpenID online login protocols could be used to steal data and redirect users to malicious websites.

Dubbed “Covert Redirect,” the exploit masquerades as a login pop-up based on an affected site’s domain, which would easily fool unsuspecting Internet users. Personal data including email addresses, birth dates, contact lists and even control of the account could be given to hackers.

“For example, someone clicking on a malicious phishing link will get a pop-up window in Facebook, asking them to authorize the app,” the publication writes. “Instead of using a fake domain name that’s similar to trick users, the Covert Redirect flaw uses the real site address for authentication.”

One way to deal with potential attacks based on these exploits is to close any suspicious-looking tabs that pop up demanding login credentials for Facebook, Google, or other Internet services that use these open-source protocols.

“While I can’t be 100 percent certain, I could have sworn I’ve seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known WONTFIX,” Grossman said. “This is to say, it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”

Chris Wysopal, CTO at Veracode, a programming code verification company also confirmed Wang’s findings.

“Given the trust users put in Facebook and other major OAuth providers I think it will be easy for attackers to trick people into giving some access to their personal information stored on those services,” the exec said.

See more here.