Security Hysteria over 'Covert Redirect Vulnerability' Needs a Redirect

By Peter Bernstein May 06, 2014

Like good wine, it can take a story some time to age and then go viral. Such has been the case with the May 2 disclosure on Tom’s Guide of a “security flaw” in the OAuth framework and OpenID protocol built on that framework that are open source core parts of secure long-ins, and are employed for secure sharing of access controls across Internet domains. The latter is the practice of using validated credentials from popular accounts such as Facebook, Twitter, Google, etc., for logging-in on another site. 

In case you missed it, reporter Jill Scharr posted a piece (“Facebook, Google Users Threatened by New Security Flaw”) on the discovery by Ph.D. student Wang Jing of the Nanyang Technological University in Singapore of the OAuth and OpenID flaws that could allow attackers to disguise and launch phishing attacks from legitimate websites. While certainly noteworthy, it was not until Fox News picked up the story and ran with it that the observations from the original piece went viral and become fodder for a seemingly endless number of websites.

It certainly caught my attention. Coming hard on the heels of the justifiable ruckus the past several days over the Heartbleed Bug, given the popularity of using popular social sites as simple to use and remember keys to getting on other sites if compromised would wreak major havoc. The problem with the story since it has cascaded into a level of hysteria is that it is looking to be a tempest in a tea pot. In fact, Jing amped up the noise on this in discussions with CNET saying that there were no companies interested in fixing the issue. 

Why do I say this? The answer is contained in a very thorough investigative posting on May 2 by ZDNet blogger John Fontana, titled, “Covert Redirect mostly hype and certainly no Heartbleed.” You should read the Fontana posting if for no reason than for peace of mind. In addition, it is worth a read since as Fontana points out, this is a known vulnerability for which fixes exist, and steps are also being taken by various parties to get industry conformance around best practices to make things even tougher for the bad guys.

Without minimizing the potential problems with “Covert Redirect” if you are not careful, as big a concern here is that this is another instance where a rush to judgment sensationalized the original and its wide replication compounded things despite, in this case, the existence of the Fontana article. It seems the predilection to let a more detailed investigation get in the way of a good story is simply irresistible.

None of us are perfect. As a professional who enjoys the competition with other media outlets on getting stories fast and creating headlines that get page views, I will admit to having been over-zealous myself on more than one occasion. I can also relate that I have corrected the errors of my ways in such instances. The problem is that invariably the incorrect information becomes widespread and the correction, or anything that contradicts the prevailing narrative, tends to be ignored.

This is why the repetition of the storyline about how malicious “Covert Redirect” could be days after its revelation and it juxtaposition with the Fontana posting is discouraging. A little redirect could have calmed the waters. 

Edited by Maurice Nagle
Related Articles

Why People Don't Update Their Computers

By: Special Guest    7/13/2018

When the WannaCry ransomware attacked companies all over the world in 2017, experts soon realized it was meant to be stopped by regular updating. Even…

Read More

More Intelligence About The New Intelligence

By: Rich Tehrani    7/9/2018

TMC recently announced the launch of three new artificial intelligence events under the banner of The New Intelligence. I recently spoke with TMC's Ex…

Read More

Technology, Innovation, and Compliance: How Businesses Approach the Digital Age

By: Special Guest    6/29/2018

Organizations must align internally to achieve effective innovation. Companies should consider creating cross-functional teams or, at a minimum, incre…

Read More

Contribute Your Brain Power to The New Intelligence

By: Paula Bernier    6/28/2018

The three events that are part of The New Intelligence are all about how businesses and service providers, and their customers, can benefit from artif…

Read More

TMC Launches The New Intelligence - an Unparalleled AI and Machine Learning Conference & Expo in Florida

By: TMCnet News    6/28/2018

TMC announced the launch of The New Intelligence conference and expo - The Event Powering the AI Revolution. This exciting new event will take place o…

Read More