Heartbleed-Like Security Flaws Far-Reaching but Rare
NEWS ANALYSIS: The Oauth "covert redirect" isn't another Heartbleed, but researchers are racing to find the next big security exploit. It's smart to do so.It was nearly one month ago that the Heartbleed Secure Sockets Layer (SSL) encryption flaw upended the world with one of the most wide-reaching security incidents of the last decade. Ever since, vendors, researchers and media have all been trying to find the next Heartbleed-type flaw, with little success. On May 2, my inbox was bombarded with claims and comments about the "next Heartbleed," a security flaw in the pervasive OAuth and OpenID authentication protocols, dubbed "covert redirect." The claims stemmed from a report published by Jin Wang, a Ph.D. student at Nanyang Technological University in Singapore. OAuth and OpenID are widely deployed technologies that provide an easy way for users to authenticate to services. "Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.," Wang wrote. "The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID." In an "open redirect" attack, a user's information is unknowingly redirected to an unauthorized location. The prospect of a flaw in OAuth and OpenID is one that could well have the same kind of impact as a Heartbleed vulnerability, but the simple fact is that the two vulnerabilities are vastly different.
Heartbleed is a flaw in the open-source OpenSSL cryptographic library used by millions of servers and embedded devices. OpenSSL helps enable SSL encryption, which provides security for data in motion. The Heartbleed flaw is not an implementation issue; it doesn't matter how sites are configured. Simply put, if a site was running a vulnerable version of OpenSSL, the site and all its users are at risk.