Heartbleed-Like Security Flaws Far-Reaching but Rare
It was nearly one month ago that the Heartbleed Secure Sockets Layer (SSL) encryption flaw upended the world with one of the most wide-reaching security incidents of the last decade. Ever since, vendors, researchers and media have all been trying to find the next Heartbleed-type flaw, with little success.
On May 2, my inbox was bombarded with claims and comments about the "next Heartbleed," a security flaw in the pervasive OAuth and OpenID authentication protocols, dubbed "covert redirect." The claims stemmed from a report published by Jin Wang, a Ph.D. student at Nanyang Technological University in Singapore. OAuth and OpenID are widely deployed technologies that provide an easy way for users to authenticate to services.
"Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.," Wang wrote. "The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID."
In an "open redirect" attack, a user's information is unknowingly redirected to an unauthorized location. The prospect of a flaw in OAuth and OpenID is one that could well have the same kind of impact as a Heartbleed vulnerability, but the simple fact is that the two vulnerabilities are vastly different.
Heartbleed is a flaw in the open-source OpenSSL cryptographic library used by millions of servers and embedded devices. OpenSSL helps enable SSL encryption, which provides security for data in motion. The Heartbleed flaw is not an implementation issue; it doesn't matter how sites are configured. Simply put, if a site was running a vulnerable version of OpenSSL, the site and all its users are at risk.
With the covert redirect flaw, the basic premise of the attack is to take advantage of a previously known misconfiguration issue in OAuth and OpenID. One of the most succinct comments about why covert redirect is not the same as Heartbleed was published by security vendor Symantec in a May 3 blog post.
"The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers," Symantec stated. "Covert redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users."
That's a big difference.
Going a step further, it's also an issue that some OAuth and OpenID providers were already advising users to take simple configuration steps against for months. On March 13, LinkedIN published a blog post advising users to properly register OAuth redirect addresses to prevent any kind of unauthorized redirection.
With Hearthbleed, there was no warning, no-best practice guidelines for implementation, and no safe haven.
The quest for the next Heartbleed makes a lot of sense. Every vendor and researcher wants to find the next big thing and be recognized for that discovery. The simple fact of the matter is, Heartbleed-type flaws simply don't occur every day, or even every year. That's what makes Heartbleed a rare breed.
Internet security overall has its fair share of weaknesses, but big pervasive issues, with critical impacts like Heartbleed are, thankfully, few and far between.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.