Sign in with
Sign up | Sign in

Facebook, Google Users Threatened by New Security Flaw

By - Source: Tom's Guide US | B 3 comments

A serious flaw in two widely used security standards could give anyone access to your account information at Google, Microsoft, Facebook, Twitter and many other online services. The flaw, dubbed "Covert Redirect" by its discoverer, exists in two open-source session-authorization protocols, OAuth 2.0 and OpenID.

Both standards are employed across the Internet to let users log into websites using their credentials from other sites, such as by logging into a Web forum using a Facebook or Twitter username and password instead of creating a new account just for that forum.

MORE: 7 Scariest Security Threats Headed Your Way

Attackers could exploit the flaw to disguise and launch phishing attempts from legitimate websites, said the flaw's finder, Ph.D. student Wang Jing of the Nanyang Technological University in Singapore.

Wang believes it's unlikely that this flaw will be patched any time soon. He says neither the authentication companies (those with which users have an account, such as Google, Microsoft, Facebook, Twitter or LinkedIn, among others) nor the client companies (sites or apps whose users log in via an account from an authentication company) are taking responsibility for fixing the issue.

"The vulnerability is usually due to the existing weakness in the third-party websites," Wang writes on his own blog. "However, they have little incentive to fix the problem."

The biggest danger of Covert Redirect is that it could be used to conduct phishing attacks, in which cybercriminals seize login credentials, by using email messages containing links to malicious websites disguised as something their targets might want to visit.

Normal phishing attempts can be easy to spot, because the malicious page's URL will usually be off by a couple of letters from that of the real site. The difference with Covert Redirect is that an attacker could use the real website instead by corrupting the site with a malicious login popup dialogue box.

For example, say you regularly visit a given forum (the client company), to which you log in using your credentials from Facebook (the authentication company). Facebook uses OAuth 2.0 to authenticate logins, so an attacker could put a corrupted Facebook login popup box on this forum.

If you sign in using that popup box, your Facebook data will be released to the attacker, not to the forum. This means the attacker could possibly gain access to your Facebook account, which he or she could use to spread more socially engineered attacks to your Facebook friends.

Covert Redirect could also be used in redirection attacks, which is when a link takes you to a different page than the one expected.

Wang told CNET authentication companies should create whitelists — pre-approved lists that block any not on it — of the client companies that are allowed to use OAuth and OpenID to redirect to them. But he said he had contacted a number of these authentication companies, who all shifted blame elsewhere.

Wang told CNET Facebook had told him it "understood the risks associated with OAuth 2.0" but that fixing the flaw would be "something that can't be accomplished in the short term." Google and LinkedIn allegedly told Wang they were looking into the issue, while Microsoft said the issue did not exist on its own sites.

Covert Redirect appears to exist in the implementations of the OpenID and OAuth standards used on client websites and apps. But because these two standards are open-source and were developed by a group of volunteers, there's no company or dedicated team that could devote itself to fixing the issue.

MORE: Identity Theft Victim? Here's 6 Things You Need to Do

Where does that leave things? 

"Given the trust users put in Facebook and other major OAuth providers, I think it will be easy for attackers to trick people into giving some access to their personal information stored on those service," Chris Wysopal, chief technology officer of Boston-area security firm Veracode and a member of the legendary 1990s hackerspace the L0pht, told CNET.

"It's not easy to fix, and any effective remedies would negatively impact the user experience," Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security, told CNET. "Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws."

Users should be extra-wary of login popups on Web pages. If you wish to log into a given website, it might be better to use an account specific to that website instead of logging in with Facebook, Twitter, or another authentication company, which would require the use of OAuth and/or OpenID to do.

If you think someone has gained access to one of your online accounts, notify the service and change that account's password immediately.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Add your comment Display 3 comments.
  • 0 Hide
    spdragoo , May 2, 2014 12:34 PM
    "Given the trust users put in Facebook and other major OAuth providers..."

    Seriously, it was all I could do to keep from ROTF. Trust? For Facebook?!? The only time I use my Facebook login...is to log into Facebook. Just like I use my Yahoo login for Yahoo, or my Tom's Hardware login for Tom's Hardware.
  • 0 Hide
    koss64 , May 5, 2014 10:41 AM
    Could someone please tell me why having a lock everyone has the plans to a good idea(as essentially that is what an open source security protocol amounts to)? No one is even going to fix it because its apparently no one's code, if it was proprietary then someone could be held accountable for a quick fix.
  • 0 Hide
    Tunie , May 19, 2014 2:29 PM
    It is not paranoia that drives my desire for privacy, it is the fundamental creepiness and annoyance of being tracked, and secondly, seeing ridiculous content featured based upon random surfing that has little to do with my life. None of the intelligent content I search is featured, of course, only the most banal and stupid. I don't want that crap associated with my data trail but I'm not interested in giving up my freedom to search and browse for relaxation and entertainment. Privacy IS a fundamental human birthright.
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter