Open source applications and tools certainly are taking a beating lately. Heartbleed sent millions of people into a panic about changing passwords (and based on my Facebook feed and the online forums I follow, panic is the right word to describe it). Now the Covert Redirect bug, a security flaw affecting OAuth and OpenID, has popped up. Both of these are important elements of secure logins to many popular domains, ranging from Google to Facebook to Microsoft.
CSO Online quoted CloudLock’s Kevin O’Brien on the issue:
The ‘Covert Redirect’ component of the vulnerability refers to a similarity to how some phishing attacks work: When the user grants OAUTH access on the provider pop-up, the actual OAUTH token that is generated is not granted to the service that the user thinks they are using, but rather to a third party service that is potentially malicious.
Experts are quick to point out that Covert Redirect is not the reincarnation of Heartbleed. In fact, as John Fontana wrote on ZDNet:
[T]he bug . . . is only like Heartbleed in that it came pre-packaged with a manufactured name, a website and a polished logo.
However, as Mike Gross, senior manager of risk strategy and professional services with 41st Parameter, told me, it is another reminder of the risks of single authentication methods:
It’s important for banks, merchants, social networks, etc. to have multiple layers of protection when authenticating users. This is why Facebook Connect or other social login methods are not sufficient for access to online banking and sites where user sessions need to be secured. The Internet was inherently designed to be open and to make sharing easy and convenient — but that tenet directly conflicts with the need to secure accounts and transactions. Short of a complete Internet overhaul with security as a foundation vs. an afterthought, we can expect these vulnerabilities to persist and their impact and scope to be even more damaging.
As Ori Eisen, founder, chairman and chief innovation office at 41st Parameter, told me, open source is an amazing collaborative effort, but it also depends on everyone using it being a good netizen:
In any distributed system, we are counting of the good nature of the participants to do the right thing. In cases like OAuth and OpenID, the distribution is so vast that it is unreasonable to expect each and every website to patch up in the near future.
So while Covert Redirect isn’t causing the same sort of concern that Heartbleed did, it still shows two things: that open source has security concerns that must be addressed and that single-factor authentication has outlived its usefulness.