Covert Redirect Flaw in OAuth is Not the Next Heartbleed
Coming off the heels of the Heartbleed bug, a new report on a security flaw called “Covert Redirect” is garnering a lot of media attention—so much that some outlets are referring to it as the next Heartbleed. But is Covert Redirect as bad as Heartbleed? Definitely not.
Is this the next Heartbleed?
No, it is not. This is a security flaw in the implementation of OAuth by service providers.
Why is Covert Redirect not as bad as Heartbleed?
Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers. Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.
What is Covert Redirect?
Covert Redirect is a security flaw, not a vulnerability. It takes advantage of third-party clients susceptible to an open redirect.
For example, an attacker could covertly issue a request to Facebook’s API using ESPN’s Facebook app and modify the redirect_uri parameter. The new modified redirect_uri parameter maliciously redirects users after they have successfully authenticated.
Standard Request: facebook.com/dialog/oauth?redirect_uri=espn.go.com&scope=email&client_id=123&response_type=token
Malicious Request: facebook.com/dialog/oauth?redirect_uri=m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=badsite.com&scope=email&client_id=123&response_type=token
In the case of a malicious request, the attacker receives the user’s access token, instead of the approved application.
What is OAuth?
OAuth is an open protocol to allow secure authorization from web, mobile and desktop applications. When using OAuth—like a “Login with Facebook” button—OAuth is the authorizing mechanism and enables third-party applications to obtain access to user accounts.
What is the risk to users?
For this flaw to be exploited, it requires interaction from users. A user would have to grant permissions to a susceptible application in order for the access token to be compromised. An attacker may then obtain user account data which could be used for further malicious purposes.
What is the impact to application developers?
If there is an open redirect on your website, an attacker could target your application for Covert Redirect. It is important to lock down open redirects on your website.
What is the next step?
While Covert Redirect is a notable security flaw, it is not on the same level as Heartbleed. Covert Redirect serves as a reminder to be careful about what applications you grant access to.
Do not expect a patch—it is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw.
