Security Hysteria over 'Covert Redirect Vulnerability' Needs a Redirect

By Peter Bernstein May 06, 2014

Like good wine, it can take a story some time to age and then go viral. Such has been the case with the May 2 disclosure on Tom’s Guide of a “security flaw” in the OAuth framework and OpenID protocol built on that framework that are open source core parts of secure long-ins, and are employed for secure sharing of access controls across Internet domains. The latter is the practice of using validated credentials from popular accounts such as Facebook, Twitter, Google, etc., for logging-in on another site. 

In case you missed it, reporter Jill Scharr posted a piece (“Facebook, Google Users Threatened by New Security Flaw”) on the discovery by Ph.D. student Wang Jing of the Nanyang Technological University in Singapore of the OAuth and OpenID flaws that could allow attackers to disguise and launch phishing attacks from legitimate websites. While certainly noteworthy, it was not until Fox News picked up the story and ran with it that the observations from the original piece went viral and become fodder for a seemingly endless number of websites.

It certainly caught my attention. Coming hard on the heels of the justifiable ruckus the past several days over the Heartbleed Bug, given the popularity of using popular social sites as simple to use and remember keys to getting on other sites if compromised would wreak major havoc. The problem with the story since it has cascaded into a level of hysteria is that it is looking to be a tempest in a tea pot. In fact, Jing amped up the noise on this in discussions with CNET saying that there were no companies interested in fixing the issue. 

Why do I say this? The answer is contained in a very thorough investigative posting on May 2 by ZDNet blogger John Fontana, titled, “Covert Redirect mostly hype and certainly no Heartbleed.” You should read the Fontana posting if for no reason than for peace of mind. In addition, it is worth a read since as Fontana points out, this is a known vulnerability for which fixes exist, and steps are also being taken by various parties to get industry conformance around best practices to make things even tougher for the bad guys.

Without minimizing the potential problems with “Covert Redirect” if you are not careful, as big a concern here is that this is another instance where a rush to judgment sensationalized the original and its wide replication compounded things despite, in this case, the existence of the Fontana article. It seems the predilection to let a more detailed investigation get in the way of a good story is simply irresistible.

None of us are perfect. As a professional who enjoys the competition with other media outlets on getting stories fast and creating headlines that get page views, I will admit to having been over-zealous myself on more than one occasion. I can also relate that I have corrected the errors of my ways in such instances. The problem is that invariably the incorrect information becomes widespread and the correction, or anything that contradicts the prevailing narrative, tends to be ignored.

This is why the repetition of the storyline about how malicious “Covert Redirect” could be days after its revelation and it juxtaposition with the Fontana posting is discouraging. A little redirect could have calmed the waters. 

Edited by Maurice Nagle
Related Articles

Why Blockchain Could Be a Gamechanger

By: Paula Bernier    1/22/2018

Blockchain has become closely associated with the controversial topic of cryptocurrency. And that's fine because blockchain is an enabling technology …

Read More

Consumer Privacy in the Digital Era: Three Trends to Watch

By: Special Guest    1/18/2018

Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …

Read More

CES 2018: Terabit Fiber - Closer Than We Think

By: Doug Mohney    1/17/2018

One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…

Read More

10 Benefits of Drone-Based Asset Inspections

By: Frank Segarra    1/15/2018

Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…

Read More

VR Could Change Entertainment Forever

By: Special Guest    1/11/2018

VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …

Read More