A Singaporean Ph.D student has discovered a major bug in two of the most common login tools on the Internet. Attackers can use the flaw to steal data from your accounts for websites like Google, Facebook, Paypal, LinkedIn, and more.
OpenID and OAuth 2.0 are designed to make logging in easy. Instead of entering a username and password, these tools allow you to simply log in via third party websites using, for instance, a Facebook or Twitter account. Many of the most popular websites online use these tools.
Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, went public earlier today with his discovery of a serious “Covert Redirect” flaw in both OpenID and OAuth that can send personal data to a phishing site masquerading as a trustworthy login popup. You could be sending your email address, contact lists, birthday, and more to the attacker, who might then send you along to a phishing website to steal even more sensitive data from you.
Since Wang has gone public, numerous others have corroborated his claims. Fixing the problem is “easier said than done,” said Wang, so users are advised to extremely careful logging into third party sites using Twitter, Facebook, and Google accounts until further notice.
H/T CNet | Illustration by Jason Reed