“Cinco” Things to Know about OAuth, OpenID and Covert Redirect this Cinco de Mayo
As I look forward to downing a few tacos and margaritas this evening at my local cantina, I thought it appropriate to point out five (or cinco) things everyone should know about the latest security flaw to make the news. The latest security issue on the internet involves a technology that many users utilize on a daily basis; I’m talking about OpenID and OAuth. To get an in depth look at OAuth, check out my previous blog post.
1. What is OAuth & OpenID? You may not know the technology by those names, but these two authentication schemes allow users to log into party sites with credentials from social identity providers like Facebook, Google and LinkedIn. From a functionality standpoint, OpenID and OAuth allows you to log into a third party site (such as Forbes in the example below) to interact in forums or comment on stories, share information with your social networks, or a variety of other use cases. For users, it allows them to proceed with the desired action more quickly than completing a long registration form or logging into the site with yet another set of credentials they must remember. In a nutshell, this is a convenience that allows you to avoid creating multiple accounts on various websites while trusting in the security of the identity provider.
2. What Happens When You Do This? Essentially, logging into these providers grants the third party site a token that gives the destination website privileges to certain information the provider maintains on you. If we’re talking Facebook, this could be your name, sex, age, friends, messages in your mailbox, likes, etc. There’s all sorts of different information delivered depending on the relationship that the third party and provider have and what information you are granting to them. Normally, users are oblivious to the behind-the-scenes exchange that the third party site and identity provider go through.
3. What Is Covert Redirect? The issue is that this recently publicized vulnerability exists which makes it appear that a third party site that you are attempting to access is establishing that link to the provider. In fact, a connection is being established to the provider, but a malicious party is actually intervening, redirecting the connection, and grabbing the token through a session that appears normal to the user.
4. Why Is Covert Redirect (or whatever they’re calling it these days) a Big Deal? The token is what gives the power to the third party for your information from the provider. The address of the redirect and third party even appears to be normal. There are all sorts of names out there for the vulnerability, but the most common one is Covert Redirect which I’m using for the purposes of this post. The major issue from a technology side is that there is no easy fix for this vulnerability due to the inherent design of OpenID and OAuth.
5. How Do We Protect Ourselves? The only feasible way (at present) to mitigate this issue is to establish a whitelist of third party accounts with the identity provider. Depending on how wide-spread the provider is among third party websites, this is an unwieldy task. Currently, to my knowledge only LinkedIn is attempting to establish such a white list, but that doesn’t mean others aren’t already or – in light of this flaw – won’t be attempting to do so soon. According to some media reports, other providers have effectively said it’s a known issue with the technology and at the present time they have no plans to change their practices.
Ultimately, time will tell how much consumer confidence is shaken in light of Covert Redirect and the buzz circulating currently. I know that I’ll feel a little less secure posting a picture of my margarita to Facebook and my review of the tacos to Yelp when I check in using the restaurant’s app this evening.