Printed from

OAuth, OpenID 'covert redirect' flaw discovered; hard to implement fix

updated 11:55 am EDT, Fri May 2, 2014

Google, Microsoft, Facebook all potentially affected by attack vector

Under scrutiny from security researchers after the discovery of Heartbleed, another significant problem has been identified in open source security measures. Authentication tools OAuth and OpenID have been found to be victim to a "covert redirect" flaw, with sites such as Google, PayPal, Yahoo, Facebook, and Microsoft's Hotmail subject to attack.

The flaw manifests itself as a login popup based on the affected site's domain address. A user clicking on a phishing link will get a window purporting to be from the faked credential holder, such as Facebook, with the covert redirect flaw using the actual site address for authentication, making identification of a redirect that much harder. Any login credentials are then redirected, and released to the malicious coder, rather than sent to the legitimate site for authentication.

Ph.D student Wang Jing of the Nanyang Technological University in Singapore discovered the vector. Wang has reported his findings to Facebook, LinkedIn, and Microsoft, and has received little enthusiasm from any of the companies he's spoken with: LinkedIn plans to publish a blog post on the matter "shortly," but promised no action. Google informed him that the problem was being tracked. Microsoft claimed that they weren't subject to the flaw. Facebook said that they were aware of the problem, "understood the risks associated with OAuth 2.0" and a fix was "something that can't be accomplished in the short term."

Paypal Chief Technology Officer James Barrese told Electronista in a statement that when PayPal implemented OAuth2.0/OpenID, "we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability."

Code verification company Veracode Chief Technology Officer Chris Wysopal told CNet that "given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service."

WhiteHat Security founder Jeremiah Grossman examined Wang's findings. He noted that "I could have sworn I've seen a report of a very similar if not identical vulnerability in OAuth. It would appear this issue is essentially a known 'wontfix.' This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience." He added that in his view, the problem was "just another example that Web security is fundamentally broken, and the powers that be have little incentive to address the inherent flaws."

By Electronista Staff
Post tools:




  1. Steve Wilkinson

    Fresh-Faced Recruit

    Joined: 12-19-01

    Yep, not only is this whole 'single sign on' thing a bad idea for social engineering reasons (i.e.: phishing training), with an added security flaw, it becomes even more dangerous.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bringi ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...



Most Commented


Popular News