For the second time in around one month, a major flaw has been found in popular open-source security software. The hole, which exists in the login tools OAuth and OpenID, affects many websites including Google, Facebook, Microsoft, LinkedIn, Yahoo, GitHub and others.
The flaw was discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore. Jing notes that the serious “Covert Redirect” flaw can act as a login popup based on an affected site’s domain. Exploited by an attacker, affected sites may result in users losing control of their login information and personal data — including email addresses, birth dates, and contact lists.
In addition, the flaw can result in Open Redirect attacks, where users are redirected to a website of an attacker’s choice, which can mean further harm being done.
“The patch of this vulnerability is easier said than done,” says Wang Jing. He has contacted the major companies affected to report the flaw — although they acknowledge that the bug will be difficult to fix in the short-term.
Security experts including Jeremiah Grossman, founder and interim CEO at WhiteHat Security, have agreed with Wang’s findings.
However, Brandon Edwards — VP of SilverSky Labs at SilverSky — emphasizes that this is not as major a security hazard as Heartbleed:
“Exposing music preferences, friend lists and other social content can be sensitive and some cases severe,” he says. “However, generally speaking, the risk of exposure to critical information is much lower, and is isolated to information that vulnerable sites would otherwise be exposing to third-parties anyway. This is far less impactful than Heartbleed, which has the potential to expose the most critical information that a site processes.
Additionally, this vulnerability is not as widespread as Heartbleed, as most of the sites using these technologies are social networking, so this won’t pose a threat to banks, and will not be embedded in networking equipment like routers or VPN gateways. Finally, this vulnerability still relies on user interaction: a user must be phished, lured or convinced to allow access with their account.”
We’ll have more news as this story breaks.