Covert Redirect Security Flaw in Sites Using OAuth and OpenID

IMG_08052014_190145Late last week, a PhD student at Nanyang Technological University named Wang Jing published a vulnerability report on what he has called “Covert Redirect.” Covert Redirect is a security flaw that affects websites that use the OAuth and OpenID identity verification systems. Due to its proximity to Heartbleed, the critical security vulnerability that occurred less than one month ago, Covert Redirect is garnering a lot of media coverage.

Covert Redirect is a problem, but it is not “the next Heartbleed.”

What is Covert Redirect?

Many websites use the OAuth and OpenID identity verification systems to allow users to log-in using another, larger website’s credentials. OAuth and OpenID are implemented to simplify the user experience and consolidate users’ digital identities. For example, if you have ever created an account on a new website or app, and it asked you to “Log-in with Facebook,” you have probably utilized OAuth or OpenID.

Covert Redirect is a problem with the internal security measures of websites that utilize OAuth and OpenID. It is not a problem with OAuth and OpenID themselves. Covert Redirect is actually just one instance of the general, open redirect problem, which website/app developers have known about for years. An open redirect occurs when a website has a security design flaw that allows attackers to modify the code that redirects users to other websites. Attackers use open redirects to steal the access tokens that normally allow users to log-in to an established account on a large website like Facebook or Google through an application or smaller website. Attackers can then later use those stolen access tokens to log-in to a user’s account through their malicious website, and thereby steal user credentials or use the user’s account for illegal activity.

How Can I Stay Protected?

Use caution when you grant applications and websites access to your established accounts.

In order for Covert Redirect to work, a user would need to click on a link from an attacker that asked them to log-in to a website or application via Facebook, Google, LinkedIn, or any other large website. The link would appear as though it were a legitimate request to do so from a website or application the user actually uses, but in reality it would be a malicious link designed to redirect the user’s access token to the attacker.

Covert Redirect is a problem because in today’s digital economy there are literally thousands of small scale apps and websites that use OAuth and OpenID to connect to larger social sites. Complete mitigation would therefore require the developers of every single one of those apps and websites to check their products for the open redirect vulnerability. Additionally, it would require tech giants like Google and Facebook to compile sprawling white lists of every single app/website they dole out access tokens to through OAuth and OpenID. Such apps and websites are born on a daily basis, making this task technically impossible.

In short: If you don’t trust it, don’t click it. In cases of doubt where you still want to try the app or website, you can always attempt to create a new, anonymous buffer account on the site itself.

A Word on Vulnerability Disclosure

The media is making a big deal out of Covert Redirect because of Heartbleed. In fact, the researcher who discovered Covert Redirect has very clearly made intentional efforts to model his disclosure after Heartbleed’s. For comparison see: http://heartbleed.com/ and then http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html.

Whether this similarity is helpful or not is hard to say. There is no doubt that open redirects are a huge security problem and that websites and applications that are vulnerable to them should resolve the issue as soon as possible; however, this is not really a new problem of Heartbleed proportions. Heartbleed allowed attackers to access user credentials with one little remote request to the server where they were being held. Covert Redirect, on the other hand, can only work if a user is duped into clicking a bad link, through social engineering. This makes Covert Redirect a problem, but not an insurmountable one. Its buzz can be seen as both a call to web developers to tighten up their design practices and to web users to stay alert – two not-so negative side effects which will contribute to a more Malware-Free World.

Have a great one!