Authentication methods used by Facebook, Google, and many other popular websites could be redirected by attackers.
A security researcher has uncovered serious security vulnerabilities in the technologies used by many websites to authenticate users via third-party websites. A blog posted late last week revealed the details of security flaws in OAuth 2.0 and OpenID, two technologies that are widely used by the Web's most popular sites to more quickly and easily verify the identity of a user.
The vulnerability was discovered by Wang Jing, a PhD student in mathematics at Nanyang Technological University. If you have ever allowed an application or website to verify your identity using your Facebook, Twitter, or Google account, then you have likely used OAuth or OpenID.
OAuth is an open standard for authorization that gives client applications secure, delegated access to server resources on behalf of a resource owner. OpenID an open standard that allows users to be authenticated by certain cooperating sites using a third party service, eliminating the need for webmasters to provide their own authentication systems and allowing users to consolidate their digital identities. The vulnerability could allow an attacker to redirect the "token" used by OAuth 2.0 to access user information on a third-party site, making it possible to steal information such as the email address, age, or location of a user, the blog says. In OpenID, the vulnerability could enable attackers to collect user's information directly.
Google (which uses OpenID) told that the problem has been tracked, while Linkedin said that the company has published a blog on the matter. Microsoft said an investigation has been done and that the vulnerability existed on the domain of a third party and not on its own sites.
While this issue isn't as severe as Heartbleed, its relatively easy to do so unless the flaw gets patched, which is quite difficult to implement due to third party sites having "little incentive" to fix the problem. Cost is a factor, as well as the view that the host company (such as facebook) bears the responsibilty for making the attacks appear more credible.