On May 2, my inbox was bombarded with claims and comments about the “next Heartbleed,” a security flaw in the pervasive OAuth and OpenID authentication protocols, dubbed “covert redirect.” The claims stemmed from a report published by Jin Wang, a Ph.D. student at Nanyang Technological University in Singapore. OAuth and OpenID are widely deployed technologies that provide an easy way for users to authenticate to services.
“Almost all major OAuth 2.0 and OpenID providers are affected, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, PayPal, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru, Sohu, etc.,” Wang wrote. “The vulnerability could lead to Open Redirect attacks to both clients and providers of OAuth 2.0 or OpenID.”
In an “open redirect” attack, a user’s information is unknowingly redirected to an unauthorized location. The prospect of a flaw in OAuth and OpenID is one that could well have the same kind of impact as a Heartbleed vulnerability, but the simple fact is that the two vulnerabilities are vastly different.