Friday, May 2, 2014

OpenAuth 2.0/OpenID "Covert Redirect": Known issue

Today an security issue "Covert Redirect" with OAuth 2.0 and OpenID has been in the news[1][2].

This issue is not new and is discussed in Section 4.2.4 of the OpenAuth specification, which provides a discussion of countermeasures:
  • Require clients to register any full redirect URIs (Section 5.2.3.5).
  • Don't redirect to a redirect URI if the client identifier or redirect URI can't be verified (Section 5.2.3.5).
Statements from the CILogon developers on the sciencegatewaysecurity.org discuss email list indicate they do not believe it is vulnerable to these attacks.

Added at 4:09pm ET: Nice description of the attack by Jesper Jurcenoks
Added 5/5 10:42am ET: CSO Online article: "Covert Redirect isn't a vulnerability, and it's nothing like Heartbleed"

[1] http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
[2] http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/