A major new vulnerability affecting websites that allow people to login using their social media accounts has been discovered. The flaw exists in widely-used open-source systems like OpenID and OAuth 2.0, and works by redirecting users to malicious websites that can steal their personal info and data.

The “Covert Redirect” vulnerability was discovered by Chinese doctoral student Jing Wang last week. It’s apparently been known about for a while, but the worry is that attacks could intensify with the extra publicity.

Wang explains the flaw in this blog post, but essentially it works by tricking users into thinking they’re signing into websites via their Facebook, Twitter, Amazon or Google (and others) accounts, and then redirecting them to a malicious site. Depending on what level of access has been granted, attackers can lift personal information, contact lists, and even stored data in the case of Google Apps users.

Although not nearly as serious as Heartbleed, Covert Redirect is still something that needs attention. Wang admits that “I am not sure whether someone has used the vulnerability or not”, but the worry is that attacks will often follow once a vulnerability has been widely publicized, as is the case with this flaw.

Sloppy implementation

Social login systems are popular with developers because they make it simple to log in to sites and services using credentials from Facebook, Google, Amazon or whatever service you use regularly. This benefits both the developers and the big web companies – developers are free to focus on what they do best without needing to build their own authorization software, while Facebook etc can get their hands on more data about users.

In theory it’s a sound idea, but problems arise because the big web companies are somewhat lax about how they implement it. For example, Facebook encourages developers to close the OAuth vulnerability by using a whitelist of safe URLs users can be redirected to. Unfortunately, this is only a ‘recommendation’, and so that means lots of developers ignore it.

When presented with the problem, the big web companies responses varied quite considerably. Kudos goes to LinkedIn, which posted this blog about how it intends to deal with the problem, and also China’s Weibo, which said it intends to have its developers look for a solution. Google was somewhat less encouraging, saying it was aware of the problem and tracking it at the moment”, while all Facebook would say is it’s aware of the risk. Microsoft’s answer was to brush it off, recommending that Wang report the issue to third parties instead, while Yahoo and PayPal both ignored Wang entirely.

In fairness, patching the vulnerability is no easy feat as the problem does lie with the third-party websites. The only real solution for now is forcing everyone to use whitelists.

“If all the third-party applications strictly adhere to using a whitelist,” writes Wang. “Then there would be no room for attacks.”

In the meantime, users only recourse is to be careful whenever they’re logging into sites or applications via their social media accounts. It’s almost impossible to know for sure if a social-login can be trusted, but users should be especially wary when they receive a sudden request for their login and password when they’re not expecting it.

photo credit: marsmet548 via photopin cc