Security flaw makes it easy for scammers to steal your data

bigstockphoto_data_security_2346522

For the second time in around one month, a major flaw has been found in popular open-source security software. The hole, which exists in the login tools OAuth and OpenID, affects many websites including Google, Facebook, Microsoft, LinkedIn, Yahoo, GitHub and others.

The flaw was discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore. Jing notes that the serious “Covert Redirect” flaw can act as a login popup based on an affected site’s domain. Exploited by an attacker, affected sites may result in users losing control of their login information and personal data — including email addresses, birth dates, and contact lists.

In addition, the flaw can result in Open Redirect attacks, where users are redirected to a website of an attacker’s choice, which can mean further harm being done.

“The patch of this vulnerability is easier said than done,” says Wang Jing. He has contacted the major companies affected to report the flaw — although they acknowledge that the bug will be difficult to fix in the short-term.

Security experts including Jeremiah Grossman, founder and interim CEO at WhiteHat Security, have agreed with Wang’s findings.

However, Brandon Edwards — VP of SilverSky Labs at SilverSky — emphasizes that this is not as major a security hazard as Heartbleed:

“Exposing music preferences, friend lists and other social content can be sensitive and some cases severe,” he says. “However, generally speaking, the risk of exposure to critical information is much lower, and is isolated to information that vulnerable sites would otherwise be exposing to third-parties anyway. This is far less impactful than Heartbleed, which has the potential to expose the most critical information that a site processes.

Additionally, this vulnerability is not as widespread as Heartbleed, as most of the sites using these technologies are social networking, so this won’t pose a threat to banks, and will not be embedded in networking equipment like routers or VPN gateways. Finally, this vulnerability still relies on user interaction: a user must be phished, lured or convinced to allow access with their account.”

We’ll have more news as this story breaks.

Related

About the author

Luke DormehlLuke Dormehl is a UK-based journalist and author, with a background working in documentary film for Channel 4 and the BBC. He is the author of The Formula: How Algorithms Solve All Our Problems, And Create More and The Apple Revolution, both published by Penguin/Random House. His tech writing has also appeared in Wired, Fast Company, Techmeme, and other publications. He'd like you a lot if you followed him on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: |