In the wake of last month’s destructive vulnerability Heartbleed, yet another major weakness has been uncovered. Recently, a security flaw was identified in the OAuth/OpenID functionality. Please be aware, this could allow someone to obtain your personal information for accounts such as Google or Facebook and could possibly take control of the account altogether.
The scheme behind redirection…
Have you ever been to a site where the site gives you the option to log-in using a third party account? This allows you to use account credentials from, for example, your Google or Facebook account to log into the current site instead of having a separate username and password for that site.
The flaw enables a fake “log-in using a third party account” page to appear and pass your information to the malicious source in addition to the proper site you were expecting.
CNET reported earlier this week that the discovery employs vulnerability “Covert Redirect” that targets a log-in, pop-up on the affected sites domain to redirect the user to authorize the third party account. What is tricky about the Covert Redirect is that the fault uses the actual site address for authentication instead of a fake address.
What are you facing?
What users are finding as a result of this flaw are a collaboration of email addresses, birth dates, contact lists, and full control of accounts being attacked when personal information is entered into these once trusted sites.
If you use your Google account (or other account) to authenticate into a third party site:
Take a minute, access that third party site, log-in and change the log-in method. Set up a separate account at that site, and stop using the third party authentication method.
To avoid data loss, be careful about clicking links that direct you straight to the log-in of Facebook or Google.
For more security tips and education for your workforce, visit our compliance training page here.