Is 'Covert Redirect' Flaw a Big Deal?Experts Weigh In on Open Source Authorization Compromise
A newly reported flaw in open-source authorization services, which has been named Covert Redirect, is gaining attention in the aftermath of the widely publicized Heartbleed bug. But security experts say this newly identified bug doesn't appear to pose as big a risk as Heartbleed.
The flaw affects OAuth 2.0 and OpenID, tools that allow users to sign in to certain online services using an existing identity for other sites, such as Facebook, Google and Yahoo. Because of the flaw, a cyber-attacker could potentially compromise the OAuth and OpenID process and steal the information that the user entered, including their e-mail address. But so far, there's no reported evidence attackers have capitalized on the flaw.
Compared to Heartbleed, which exposed a vulnerability in OpenSSL, a widely used cryptographic tool that provides communication security and privacy over the Internet, the Covert Redirect flaw is relatively isolated, says Al Pascual, a senior fraud and security analyst at Javelin Strategy and Research.
"While the use of OAuth and OpenID are pervasive across the Web, this bug is not anywhere near as worrisome as Heartbleed," he says.
Still, sites that rely on OAuth 2.0 and OpenID need to make their users aware of the potential risks.
The Covert Redirect flaw was first reported, and named, by security researcher Wang Jing, a PhD student in mathematics at the Nanyang Technological University in Singapore, who says the flaw in OAuth 2.0 and OpenID impacts all users of the authorization standards, including Facebook, Google, Yahoo, LinkedIn and Microsoft, among others.
For the exploit to work, an Internet user would have to visit a malicious site or application and then log in using the OAuth 2.0 or OpenID process, says Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix.
Say, for instance, the user logged into a website using Facebook credentials. Once the OAuth 2.0 or OpenID process was completed, a cyber-attacker, taking advantage of the flaw, could redirect the token used by OAuth 2.0 or OpenID to access information on Facebook, granting the attacker access to whatever information the user has shared, Baumhof says.
How Big Is The Risk?
Security firm Symantec, in a May 3 blog, notes that while Heartbleed could be exploited just by issuing requests to unpatched servers, Covert Redirect requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.
"Covert Redirect is a security flaw, not a vulnerability," Symantec says. "It takes advantage of third-party clients susceptible to an open redirect."
For the flaw to be exploited, Symantec says, a user would have to grant permissions to a susceptible application in order for the access token to be compromised. "An attacker may then obtain user account data which could be used for further malicious purposes."
Yet Baumhof of Threatmetrix says the flaw poses some concern, because a fix is not straightforward. Similarly, Symantec notes: "Do not expect a patch. It is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw."
Mitigating the Risks
Organizations and users can take steps to mitigate the risks involved with the Covert Redirect flaw.
Symantec says Internet users need to be careful about what applications and websites they're accessing through OAuth and OpenID. Application developers also need to be mindful of open redirects on their websites. "It is important to lock down open redirects on your website," Symantec says. "Service providers also recommend application developers create a whitelist of OAuth redirect URLs."
Pascual adds: "As long as users do not interact with malicious links and/or websites, the risk is negligible. Users should be on the lookout for an increase in unsolicited e-mails that purport to be from Facebook or other sites that utilize Facebook credentials for single sign-on."
Sites that rely on the OAuth 2.0 and OpenID credentialing process should make their users aware of the vulnerability and provide recommendations for how to avoid having their sensitive information compromised, Pascual says.