May 7, 2014

What's 'Covert Redirect' and how can you protect yourself?

Covert Redirect
Many sites and apps let you login with
your social media identity.

In our interconnected digital age, I'm sure you have multiple accounts requiring you to login. Many sites or apps (such as Pinterest or Buffer App) simplified logins by using single sign on (SSO) allowing you to log in with your Facebook, Twitter, or Google+ identity.

Unfortunately, two security standards widely used by SSOs, contain a security flaw that could give hackers access to your online service accounts. Security researchers refer to the flaw in the open-source session-authorization protocols, OAuth 2.0 and OpenID, as "covert redirect." 

Cyber criminals could use hard to detect phishing attacks to take advantage of third-party clients susceptible to an open redirect. Usually phishing attempts contain malicious URLs that are slightly off from the legitimate site; however, covert redirect allows hackers to use the legitimate website within the phishing email. They corrupt the legitimate website with a malicious login popup dialogue box that tricks Facebook or other credential platform into releasing your information to the hacker instead of the legitimate site.
Good news. Security researchers don't think covert redirect poses as big of risk as Heartbleed. Additionally, there is little evidence that cyber criminals have successfully exploited the  covert redirect flaw.

Bad news. Since neither of the authentication companies or client companies are taking responsibility for this issue, don't expect this vulnerability to be fixed anytime soon. Both sides appear to be shifting blame rather than taking any type of responsibility. As mentioned earlier, the SSO security standards are open source. They were developed by a group of volunteers, so we don't have a group of dedicated professionals working to patch this issue. It appears to be user beware out there!

What to do?
    covert redirect
  • Be careful about what apps and websites you're using SSO to access. The only way for hackers to get your information is through your interaction with malicious sites or pop-ups.

  • Be on the lookout for an increase in unsolicited emails claiming to be from Facebook or other sites that utilize Facebook credentials for SSO.

  • If you're concerned about using SSO, use an account specific to that website instead of logging in with Facebook, Twitter, or any other authentication company using OAuth or OpenID.

  • Don't like having multiple usernames and passwords? Create a fake Facebook, Twitter, or Google account solely for SSO purposes. This account wouldn't have any personal information or friends/followers/circles for hacker to exploit should you inadvertently become a victim of this security flaw.

  • If you think you're a victim of covert redirect, immediately change your password for your account with the authentication company.

References:
Roman, J. (05 May 2014). Is 'covert redirect' flaw a big deal? Experts weigh in on open source authorization compromise. Bank Info Security. Retrieved from http://www.bankinfosecurity.com/covert-redirect-flaw-big-deal-a-6813

Scharr, J. (05 May 2014). Facebook, Google users threatened by new security flaw. Fox News. Retrieved from http://www.foxnews.com/tech/2014/05/05/facebook-google-users-threatened-by-new-security-flaw/

Symantec (03 May 2014). Covert redirect flaw in OAuth is not the next Heartbleed. Retrieved from http://www.symantec.com/connect/blogs/covert-redirect-flaw-oauth-not-next-Heartbleed 
Enhanced by Zemanta

No comments:

Post a Comment