In the last few weeks, the Heartbleed bug received the attention it needed. A serious security flaw was discovered in the often-used OpenSSL cryptographic library. This allowed attackers to steal information normally protected by the SSL/TLS encryption. See also our previous posting.
This Friday, another ‘flaw’ received a lot of attention; the OpenID and OAuth security flaw dubbed ‘Covert Redirect‘. Almost immediately, the media started naming this the second Heartbleed. However, is this really the case?
The OpenID protocol and OAuth framework are widely used, for example by Google, LinkedIn, Facebook, and many others. Security flaws in OpenID and OAuth can thus have very large impact. However, the problems are not within OAuth or OpenID, but with the implementation by website owners using something called “open redirect”. An open redirect redirects your browser to any URL including the query parameters without checking the validity of the URL. This has been bad practice for years and can be used to exploit not only OAuth/OpenID.
This exact problem has been already described in the OAuth 2.0 Threat Model specification. The specification states that “every actual redirection URL sent … must match the registered redirection URL. Where it does not match, the authorization server should assume the inbound GET request has been sent by an attacker and refuse it”.
An easy solution is to have all your clients register the redirect URLs and not using open redirects. In March, LinkedIn asked all their developers to register the redirect URLs. If you did not do this, your application would not be able to login to LinkedIn anymore as of April 11. On the client side, if you need an open redirect, make sure to restrict it to redirect only to URLs within your own site.
Naming Covert Redirect the new Heartbleed is incorrect. It is merely an incorrect implementation of the OAuth specification. This makes it different from OpenSSL; even with a correct use of the OpenSSL libraries, you were vulnerable. We should give security issues the right attention. Heartbleed raised the overall security awareness. If this happens too often when it is not needed, users will start ignoring them, even the really important ones.
For more information read the technical analysis by Danny Thorpe.