Attack on OAuth and OpenID
As if Heartbleed weren't bad enough, a new bug has been found in OpenID and OAuth 2.0, two popular authentication programs that enable users to log into websites using the same credentials they use at Google, Twitter, Facebook and others. Are you at risk?
The vulnerability in OAuth and OpenID is called the "Covert Redirect" flaw and allows hackers to trick users into authorizing an app or site using malicious phishing links. Users that visit infected sites and click to login with their social credential will see the authorization popup but then the personal data of the user is then sent to the hacker instead of the site. Information including email address, contact lists, birthdays and lots more is essentially in jeopardy as a result of the security flaw.
According to several different reports, the security flaw is very difficult to detect as it uses the real site address for authentication. The worst part is that it's not easy for sites to fix but many which use these systems are attempting to prevent the issue from impacting users.
"When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability," James Barrese, PayPal's CTO, said in a blog post on Friday.
Website Magazine will keep readers up to date on this story as it develops.