A serious Covert Redirect vulnerability related to OAuth 2.0 and OpenID has been found. Almost all major providers of OAuth 2.0 and OpenID are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.
Wang Jing, a Ph.D. student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability "Covert Redirect" flaw can masquerade as a log-in popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter.
For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication.
If a user chooses to authorize the log in, personal data (depending on what is being asked for) will be released to the attacker instead of to the legitimate website. This can range from email addresses, birth dates, contact lists, and possibly even control of the account.
Regardless of whether the victim chooses to authorize the app, he or she will then get redirected to a website of the attacker's choice, which could potentially further compromise the victim.
Wang says he has already contacted Facebook and has reported the flaw, but was told that the company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term."
Facebook isn't the only site affected. Wang says he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.