UCIT Office of Information Security Alert Bulletin (05/02/2014)
** OpenID and OAuth Vulnerability Alert**
OpenID and OAuth Vulnerability Summary
This vulnerability may also be referred to as the “Covert Redirect” flaw.
The vulnerability allows hackers to trick users into authorizing an app or website using malicious phishing links.
For example, if you visit a site and click a button to log in with Google or Facebook, you'll see the familiar authorization popup. If you authorize the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.
Perhaps the scariest thing is the Covert Redirect flaw doesn't use a fake domain that might be spotted by more savvy surfers, but instead uses the real site address that you're trying to log into. So it's very hard to detect.
Additional information may be found at: http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/ and at http://lifehacker.com/security-flaw-found-in-oauth-and-openid-heres-what-it-1570872265.
What applications does this affect?
This vulnerability currently affects websites and applications that use credentials from websites such as Facebook, Twitter, Google, Yahoo, LinkedIn, Microsoft, PayPal, and others as a means to log into them.
How will the vulnerability be remediated?
CNET reports that this is not easy for sites to fix.
This is to say, it's not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.
What should I do?
The UCIT Office of Information Security suggests that users perform the following:
- Whenever possible, do not use credentials from websites such as Facebook, Twitter, Google, Yahoo, LinkedIn, Microsoft, PayPal, and others as a means to log into them.
- Watch out for links that immediately ask you to log into them and close the window to prevent the redirection attack.
What Can I Do to Help?
Please distribute this Security Alert to anyone who you feel needs to be made aware.
Contact the UCIT Integrated Services Desk at 513-556-HELP (4357), 866-397-3382 or firstname.lastname@example.org or the UCIT Office of Information Security at 513-558-ISEC (4732) or email@example.com with any questions or concerns.