Like good wine, it can take a story some time to age and then go viral. Such has been the case with the May 2 disclosure on Tom’s Guide of a “security flaw” in the OAuth framework and OpenID protocol built on that framework that are open source core parts of secure long-ins, and are employed for secure sharing of access controls across Internet domains. The latter is the practice of using validated credentials from popular accounts such as Facebook, Twitter, Google, etc., for logging-in on another site.
In case you missed it, reporter Jill Scharr posted a piece (“Facebook, Google Users Threatened by New Security Flaw”) on the discovery by Ph.D. student Wang Jing of the Nanyang Technological University in Singapore of the OAuth and OpenID flaws that could allow attackers to disguise and launch phishing attacks from legitimate websites. While certainly noteworthy, it was not until Fox News picked up the story and ran with it that the observations from the original piece went viral and become fodder for a seemingly endless number of websites.
It certainly caught my attention. Coming hard on the heels of the justifiable ruckus the past several days over the Heartbleed Bug, given the popularity of using popular social sites as simple to use and remember keys to getting on other sites if compromised would wreak major havoc. The problem with the story since it has cascaded into a level of hysteria is that it is looking to be a tempest in a tea pot. In fact, Jing amped up the noise on this in discussions with CNET saying that there were no companies interested in fixing the issue.
Why do I say this? The answer is contained in a very thorough investigative posting on May 2 by ZDNet blogger John Fontana, titled, “Covert Redirect mostly hype and certainly no Heartbleed.” You should read the Fontana posting if for no reason than for peace of mind. In addition, it is worth a read since as Fontana points out, this is a known vulnerability for which fixes exist, and steps are also being taken by various parties to get industry conformance around best practices to make things even tougher for the bad guys.
Without minimizing the potential problems with “Covert Redirect” if you are not careful, as big a concern here is that this is another instance where a rush to judgment sensationalized the original and its wide replication compounded things despite, in this case, the existence of the Fontana article. It seems the predilection to let a more detailed investigation get in the way of a good story is simply irresistible.
None of us are perfect. As a professional who enjoys the competition with other media outlets on getting stories fast and creating headlines that get page views, I will admit to having been over-zealous myself on more than one occasion. I can also relate that I have corrected the errors of my ways in such instances. The problem is that invariably the incorrect information becomes widespread and the correction, or anything that contradicts the prevailing narrative, tends to be ignored.
This is why the repetition of the storyline about how malicious “Covert Redirect” could be days after its revelation and it juxtaposition with the Fontana posting is discouraging. A little redirect could have calmed the waters.
Edited by
Maurice Nagle
