Aloysius Low
Serious security flaw in OAuth, OpenID discovered
Following in the steps of the OpenSSL vulnerability Heartbleed, another major flaw has been found in popular open-source security software.
This time, the holes have been found in the login tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.
Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability "Covert Redirect" flaw can masquerade as a login popup based on an affected site's domain.
Facebook isn't the only site affected. Wang says he has reported this to Google, LinkedIn and Microsoft, who gave him various responses on how they would handle the matter.
Google (which uses OpenID) told him that the problem was being tracked, while LinkedIn said that the company would publish a blog on the matter soon. Microsoft, on the other hand, said that an investigation had been done and that the vulnerability existed on a the domain of a third-party and not on its own sites.