A few months ago, researchers announced the discovery of Heartbleed, a security vulnerability in the widely used OpenSSL library. Estimates varied as to the impact of Heartbleed, but everyone agreed it was among the most significant security flaws ever discovered in a popular open source code.
Recently, experts have identified another, major open source security issue. While not nearly as widespread or severe as Heartbleed, this flaw, known as Covert Redirect, affects many frequently visited websites around the Internet, and may prove difficult to eliminate.
Covert Redirect explained
Covert Redirect was first discovered by doctoral student Wang Jing of the Nanyang Technological University in Singapore and announced via his personal website. Covert Redirect affects authorization protocols OAuth 2.0 and OpenID. These programs are used to enable third-party authorization of login credentials. Most commonly, websites use these protocols to allow users to access resources by signing in with their Facebook accounts.
"If there is an open redirect on your website, an attacker could target your application for Covert Redirect," the Symantec blog emphasized. "It is important to lock down open redirects on your website."
Not the next Heartbleed…
As the Symantec blog explained, Covert Redirect is less serious than Heartbleed for several reasons. Aside from affecting a less widely used open source implementation, Covert Redirect is also more difficult to use. Specifically, Covert Redirect, as the name suggests, is used by cybercriminals to take advantage of third-party clients that utilize open redirect methods.
"For example, an attacker could covertly issue a request to a service provider's API using a susceptible site's app and modify the redirect_uri parameter. The new modified redirect_uri parameter maliciously redirects users after they have successfully authenticated," Symantec elaborated. "In a malicious request, the attacker receives the user's access token, [but] the approved application does not."
Heartbleed, by comparison, is a vulnerability that hackers can potentially use very easily, simply by issuing requests to unpatched servers. This, combined with the greater number and variety of websites reliant on OpenSSL, makes Heartbleed the more serious problem.
…but a major concern
This does not mean that Covert Redirect is a minor issue, however. On the contrary, the flaw is undoubtedly serious and poses a real risk. As Jing noted, virtually every major provider of OAuth 2.0 and OpenID are affected by this flaw. This includes Facebook, Google, Microsoft, Paypal, LinkedIn, Yahoo and others.
Furthermore, Symantec noted that no patch is forthcoming. Instead, service providers themselves are responsible for securing their own implementations to address this issue.
This suggests that organizations will need to invest in the right tools, such as static code analysis, and strategies, such as open source governance, necessary to better evaluate and protect their open source assets. Without these solutions, firms will be unable to determine how their own operations may be affected by Covert Redirect and other security flaws, nor will they be able to take proactive steps to correct these issues.