Serious security flaw in OAuth and OpenID discovered

Aloysius Low reports:

Following in the steps of the OpenSSL vulnerability Heartbleed, another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID, used by many websites and tech titans including Google, Facebook, Microsoft, and LinkedIn, among others.

Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the serious vulnerability “Covert Redirect” flaw can masquerade as a login popup based on an affected site’s domain. Covert Redirect is based on a well-known exploit parameter.

Read more on CNet.

About the author: Dissent

Comments are closed.