Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Servers

    Heartbleed-Like Security Flaws Far-Reaching but Rare

    By
    Sean Michael Kerner
    -
    May 6, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Heartbleed bug

      It was nearly one month ago that the Heartbleed Secure Sockets Layer (SSL) encryption flaw upended the world with one of the most wide-reaching security incidents of the last decade. Ever since, vendors, researchers and media have all been trying to find the next Heartbleed-type flaw, with little success.

      On May 2, my inbox was bombarded with claims and comments about the “next Heartbleed,” a security flaw in the pervasive OAuth and OpenID authentication protocols, dubbed “covert redirect.” The claims stemmed from a report published by Jin Wang, a Ph.D. student at Nanyang Technological University in Singapore. OAuth and OpenID are widely deployed technologies that provide an easy way for users to authenticate to services.

      “Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.,” Wang wrote. “The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.”

      In an “open redirect” attack, a user’s information is unknowingly redirected to an unauthorized location. The prospect of a flaw in OAuth and OpenID is one that could well have the same kind of impact as a Heartbleed vulnerability, but the simple fact is that the two vulnerabilities are vastly different.

      Heartbleed is a flaw in the open-source OpenSSL cryptographic library used by millions of servers and embedded devices. OpenSSL helps enable SSL encryption, which provides security for data in motion. The Heartbleed flaw is not an implementation issue; it doesn’t matter how sites are configured. Simply put, if a site was running a vulnerable version of OpenSSL, the site and all its users are at risk.

      With the covert redirect flaw, the basic premise of the attack is to take advantage of a previously known misconfiguration issue in OAuth and OpenID. One of the most succinct comments about why covert redirect is not the same as Heartbleed was published by security vendor Symantec in a May 3 blog post.

      “The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers,” Symantec stated. “Covert redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.”

      That’s a big difference.

      Going a step further, it’s also an issue that some OAuth and OpenID providers were already advising users to take simple configuration steps against for months. On March 13, LinkedIN published a blog post advising users to properly register OAuth redirect addresses to prevent any kind of unauthorized redirection.

      With Hearthbleed, there was no warning, no-best practice guidelines for implementation, and no safe haven.

      The quest for the next Heartbleed makes a lot of sense. Every vendor and researcher wants to find the next big thing and be recognized for that discovery. The simple fact of the matter is, Heartbleed-type flaws simply don’t occur every day, or even every year. That’s what makes Heartbleed a rare breed.

      Internet security overall has its fair share of weaknesses, but big pervasive issues, with critical impacts like Heartbleed are, thankfully, few and far between.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×