Printed from

OAuth, OpenID 'covert redirect' flaw discovered; hard to implement fix

updated 11:55 am EDT, Fri May 2, 2014

Google, Microsoft, Facebook all potentially affected by attack vector

Under scrutiny from security researchers after the discovery of Heartbleed, another significant problem has been identified in open source security measures. Authentication tools OAuth and OpenID have been found to be victim to a "covert redirect" flaw, with sites such as Google, PayPal, Yahoo, Facebook, and Microsoft's Hotmail subject to attack.

The flaw manifests itself as a login popup based on the affected site's domain address. A user clicking on a phishing link will get a window purporting to be from the faked credential holder, such as Facebook, with the covert redirect flaw using the actual site address for authentication, making identification of a redirect that much harder. Any login credentials are then redirected, and released to the malicious coder, rather than sent to the legitimate site for authentication.

Ph.D student Wang Jing of the Nanyang Technological University in Singapore discovered the vector. Wang has reported his findings to Facebook, LinkedIn, and Microsoft, and has received little enthusiasm from any of the companies he's spoken with: LinkedIn plans to publish a blog post on the matter "shortly," but promised no action. Google informed him that the problem was being tracked. Microsoft claimed that they weren't subject to the flaw. Facebook said that they were aware of the problem, "understood the risks associated with OAuth 2.0" and a fix was "something that can't be accomplished in the short term."

Paypal Chief Technology Officer James Barrese told Electronista in a statement that when PayPal implemented OAuth2.0/OpenID, "we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability."

Code verification company Veracode Chief Technology Officer Chris Wysopal told CNet that "given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service."

WhiteHat Security founder Jeremiah Grossman examined Wang's findings. He noted that "I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known 'wontfix.' This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience." He added that in his view, the problem was "just another example that Web security is fundamentally broken, and the powers that be have little incentive to address the inherent flaws."

By Electronista Staff
Post tools:




  1. Steve Wilkinson

    Fresh-Faced Recruit

    Joined: 12-19-01

    Yep, not only is this whole 'single sign on' thing a bad idea for social engineering reasons (i.e.: phishing training), with an added security flaw, it becomes even more dangerous.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Linksys WRT1200AC Wi-Fi Router

Once upon a time, a brand-new Linksys router showed up on our doorstep. So we gathered some network-minded friends together, and hooke ...

Rapoo A300 Mini Bluetooth NFC Speaker

The Rapoo Bluetooth Mini NFC Speaker is a little metallic box about the size of a baseball. In spite of its small size, we were very p ...

Neurio Intelligent Home Monitor

The recently released Neurio Intelligent Home Monitor is a piece of hardware that, when integrated into a home's breaker box, monitors ...



Most Commented


Popular News