As reported by CNET and other news publishers, a major flaw has been found in the login tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others. Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability Covert Redirect flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter.
This discussion has been archived.
No new comments can be posted.
Serious Security Flaw in OAuth, OpenID Discovered
|
Log In/Create an Account
| Top
| 3 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2) by FatPhil on Saturday May 03 2014, @06:54AM
The flaw is that you trusted facebook/whoever to pass information to another site/app. And that other site/app was not trustworthy, as it is prepared to pass arbitrary information on to arbitrary other sites.
The fact that facebook relied on OAuth to check whether it should be passing the information on to someone else seems irrelevant. Facebook was just doing what you told it to, if it had also demanded a signature, voice print, captcha, retina scan and blood sample as well as OAuth, the issue would still exist.
The default-trust approach is fundamentally broken, compounded by the physical inability to measure trustworthiness. (As I can't tell the difference between google.com and hacksaws.ru, I trust both of them equally - zero.) That and actively wanting websites to know information about you. You're getting what you're asking for.
And finally, was it just me, or did that youtube video have no audio? (Youtube the website stopped working for me about a week ago, I now have to download the videos with a script and play them locally, so other just-for-luddite-me-brokenness wouldn't be surprising at all.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by maxwell demon on Saturday May 03 2014, @03:39PM
I don't get audio as well (I watch in the browser and have several security-related plugins, so I cannot exclude the possibility that something blocks it; OTOH I get the sound for other YouTube videos).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by michealpwalls on Saturday May 03 2014, @02:21PM
I can't watch a YouTube "video" without audio. Why not just give us the text, it would be so much more readable!?
With that rant out of the way... I couldn't agree more with the first comment here. You as the human have to take some responsibility for the things you do. You can't just go around granting every random website you go to access to your secure Google or Facebook accounts.
My approach is a bit over-blown for the average users, however I'm sure it could be easily adapted... Create a set of passwords of varying strength. My Admin/Root accounts have the strongest, convoluted password of the set. Google the number 2, my "student account" at the College has my level 3 pw and so on. SoylentNews has a 1-off password that I made up specifically for SN. Lets face it, this is how you have to conduct yourself. In this way, if SN gets compromised, the problem stops there. You cannot then take my username/password from the compromised SN and use it to authenticate elsewhere. That's just crazytalk. SN certainly doesn't have my Google account's token, that would be even crazier!
TL;DR: Stop granting random websites access to your secure Facebook and/or Google tokens. They can turn around and use the tokens against you some day :)
In fact, stop requesting that websites even support these ridiculous Single-Sign On mechanisms. Convenience is fundamentally opposed to Security. They are at opposite ends of the User Experience spectrum.