A statement from a researcher about security flaws in OAuth and OpenID has serious flaws of its own, according to the ones who are familiar with the specifications mentioned.
News of this security issue hit real hard claiming that these two identity specifications were flawed and user log-in information and other data needed to log in could be stolen by hackers. It at once brought comparisons to Heartbleed in terms of its ability to jolt the foundation of the Internet.
But the bug, that has already been named the Covert Redirect Vulnerability, is only similar to Heartbleed in a way that it came pre-packaged with a make up name, a website and a logo.
The flaws “discovered” by a Ph.D student from Nanyang Technological University in Singapore Wang Jing, are already known issues and creators of the specs have already thought of a mitigation methods. The flaws don’t lie with OAuth and OpenID, but they appear from web site implementations that allow something called an open redirect. This lets the web browser to send credentials back to a URL that does not match the URL that originally requested the credentials.
OAuth, a framework, and OpenID, a protocol developed on that framework, are the key parts for secure log-ins and safe sharing of access control credentials over Internet domains. The two are used by such Internet giants as Google, Microsoft and LinkedIn. However, Facebook uses OAuth and something similar to OpenID.
Jing, who released videos that explain the exploit, demonstrates how Facebook’s OAuth implementation is hacked exploiting an open redirect parameter that sends user’s access token to a malicious site instead of the one that originally intended to receive the credentials.
Here is an example of how it works: if someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app and that someone chooses to authorize the log-in, personal data will be released to the attacker instead of to the website that originally requested the credentials. This can range from email addresses, personal info, contact lists, and possibly even control of the account.
Until we know more, your best option is being extra careful about logging into sites using Microsoft, Google, or Facebook. Be careful about the sites and links you visit, it is sometimes better to spend those couple extra minutes to register a new account than get your info stolen.