Researchers, identity geeks, standards groups, developers and vendors alike are lining up to debunk stories circulating the Web that claim there are security flaws in Internet identity protocols OAuth 2.0 and OpenID Connect.
Hyped as comparable to Heartbleed, the so-called Covert Redirect Vulnerability, in no way compares to that security bug, which undermined security across the Internet just a few weeks ago.
"Heartbleed allowed an attacker to steal any data from a web server (including passwords). That affects the security of many if not all user accounts of a site," said Torsten Lodderstedt, the author of "OAuth 2.0 Threat Model and Security Considerations" that was published in January 2013 by the Internet Engineering Task Force. (The IETF standardized OAuth 2.0 in 2012). The way Covert Redirect was presented, it allegedly gave an attacker access to user data of a single user account, said Lodderstedt.
Regardless, he said the vulnerability is not in OAuth 2.0 or in OpenID Connect, but instead in Web site implementations that allow something called an "open redirect" that lets the web browser send credentials back to a URL that does not match the URL that originally requested the credentials.
The redirect flaws "discovered" by Wang Jing, a Ph.D student from Nanyang Technological University in Singapore, in fact are long-standing problems on the Web and creators of the OAuth 2.0 framework and OpenID Connect spec have documented mitigation techniques.
In addition, Lodderstedt said the "hack" Jing described would require that the end user's browser also be tampered with by the attacker.
Lodderstedt was not the only one unraveling Covert Redirect.
"This open redirect exploit is not specific to OAuth; an open redirect can be leveraged to exploit a wide variety of services. Open redirects have been well known as a Very Bad Idea for decades," Thorpe wrote.
My old friend Scott M. Fulton III added his usual in-depth analysis to Covert Redirect, which came pre-packaged with a name, a website and a logo. "It's an "open redirect," it's permissible, it's surprisingly visible and its exploitability is not only well-known but has been complained about for some time.
Former Google developer evangelist Tim Bray chimed in with his own OAuth "flaw" assessment. "I understand OAuth pretty well and it's really hard to figure out what's being claimed," he said. "It's got a logo! It's got a Web presence. Oh good, let's look there and figure out what the problem is. Um, nope, it's just arm-waving."