Security Hysteria over 'Covert Redirect Vulnerability' Needs a Redirect

By Peter Bernstein May 06, 2014

Like good wine, it can take a story some time to age and then go viral. Such has been the case with the May 2 disclosure on Tom’s Guide of a “security flaw” in the OAuth framework and OpenID protocol built on that framework that are open source core parts of secure long-ins, and are employed for secure sharing of access controls across Internet domains. The latter is the practice of using validated credentials from popular accounts such as Facebook, Twitter, Google, etc., for logging-in on another site. 

In case you missed it, reporter Jill Scharr posted a piece (“Facebook, Google Users Threatened by New Security Flaw”) on the discovery by Ph.D. student Wang Jing of the Nanyang Technological University in Singapore of the OAuth and OpenID flaws that could allow attackers to disguise and launch phishing attacks from legitimate websites. While certainly noteworthy, it was not until Fox News picked up the story and ran with it that the observations from the original piece went viral and become fodder for a seemingly endless number of websites.

It certainly caught my attention. Coming hard on the heels of the justifiable ruckus the past several days over the Heartbleed Bug, given the popularity of using popular social sites as simple to use and remember keys to getting on other sites if compromised would wreak major havoc. The problem with the story since it has cascaded into a level of hysteria is that it is looking to be a tempest in a tea pot. In fact, Jing amped up the noise on this in discussions with CNET saying that there were no companies interested in fixing the issue. 

Why do I say this? The answer is contained in a very thorough investigative posting on May 2 by ZDNet blogger John Fontana, titled, “Covert Redirect mostly hype and certainly no Heartbleed.” You should read the Fontana posting if for no reason than for peace of mind. In addition, it is worth a read since as Fontana points out, this is a known vulnerability for which fixes exist, and steps are also being taken by various parties to get industry conformance around best practices to make things even tougher for the bad guys.

Without minimizing the potential problems with “Covert Redirect” if you are not careful, as big a concern here is that this is another instance where a rush to judgment sensationalized the original and its wide replication compounded things despite, in this case, the existence of the Fontana article. It seems the predilection to let a more detailed investigation get in the way of a good story is simply irresistible.

None of us are perfect. As a professional who enjoys the competition with other media outlets on getting stories fast and creating headlines that get page views, I will admit to having been over-zealous myself on more than one occasion. I can also relate that I have corrected the errors of my ways in such instances. The problem is that invariably the incorrect information becomes widespread and the correction, or anything that contradicts the prevailing narrative, tends to be ignored.

This is why the repetition of the storyline about how malicious “Covert Redirect” could be days after its revelation and it juxtaposition with the Fontana posting is discouraging. A little redirect could have calmed the waters. 




Edited by Maurice Nagle
SHARE THIS ARTICLE
Related Articles

Bloomberg BETA: Models Are Key to Machine Intelligence

By: Paula Bernier    4/19/2018

James Cham, partner at seed fund Bloomberg BETA, was at Cisco Collaboration Summit today talking about the importance of models to the future of machi…

Read More

Get Smart About Influencer Attribution in a Blockchain World

By: Maurice Nagle    4/16/2018

The retail value chain is in for a blockchain-enabled overhaul, with smarter relationships, delivering enhanced transparency across an environment of …

Read More

Facebook Flip-Flopping on GDPR

By: Maurice Nagle    4/12/2018

With GDPR on the horizon, Zuckerberg in Congress testifying and Facebook users questioning loyalty, change is coming. What that change will look like,…

Read More

The Next Phase of Flash Storage and the Mid-Sized Business

By: Joanna Fanuko    4/11/2018

Organizations amass profuse amounts of data these days, ranging from website traffic metrics to online customer surveys. Collectively, AI, IoT and eve…

Read More

Satellite Imaging - Petabytes of Developer, Business Opportunities

By: Doug Mohney    4/11/2018

Hollywood has programmed society into believing satellite imaging as a magic, all-seeing tool, but the real trick is in analysis. Numerous firms are f…

Read More