A new vulnerability in the open authentication framework OAuth is not the new Heartbleed, but it is affecting major websites.
According to Symantec, this is not the next Heartbleed, but it is a security flaw in the implementation of OAuth by service providers. Also named Covert Redirect, this takes advantage of third-party clients susceptible to an open redirect and requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.
An open protocol to allow secure authorisation from web, mobile and desktop applications, OAuth is the authorising mechanism and enables third-party applications to obtain access to user accounts.
“For example, an attacker could covertly issue a request to a service provider’s API using a susceptible site’s app and modify the redirect_uri parameter,” it said. “The new modified redirect_uri parameter maliciously redirects users after they have successfully authenticated. In a malicious request, the attacker receives the user’s access token, the approved application does not.”
According to Wang Jing, who wrote a research paper on it, this affects websites such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal and GitHub. Jing said in a blog post: “For OAuth 2.0, these attacks might jeopardize ‘the token’ of the site users, which could be used to access user information. In the case of Facebook, the information could include the basic ones, such as email address, age, locale, work history, etc.
“If the token has greater privilege (the user needs to consent in the first place though), the attacker could obtain more sensitive information, such as mailbox, friends list and online presence, and even operate the account on the user’s behalf.
“For OpenID, the attackers may get user’s information directly. Compounded by the large number of companies involved, this vulnerability could lead to huge consequences if left unresolved.”
Jing said that the problem with this is that the host company may see the service provider as responsible, and therefore it is not solely their problem, but for the provider, the problem does not originate from its own website. “Even if it is willing to take on the responsibility, it has to gain cooperation from all the clients, which is nonetheless a daunting task. In my opinion, the providers should be responsible for the vulnerability because the attacks are mainly targeted at them.”
In order to fix the vulnerability, Jing said that the best solution is to whitelist applications. He has reported this to related companies, which Google, Microsoft and others said that they were dealing with.