Security Hysteria over 'Covert Redirect Vulnerability' Needs a Redirect


Like good wine, it can take a story some time to age and then go viral. Such has been the case with the May 2 disclosure on Tom’s Guide of a “security flaw” in the OAuth framework and OpenID protocol built on that framework that are open source core parts of secure long-ins, and are employed for secure sharing of access controls across Internet domains. The latter is the practice of using validated credentials from popular accounts such as Facebook, Twitter, Google, etc., for logging-in on another site. 

In case you missed it, reporter Jill Scharr posted a piece (“Facebook, Google Users Threatened by New Security Flaw”) on the discovery by Ph.D. student Wang Jing of the Nanyang Technological University in Singapore of the OAuth and OpenID flaws that could allow attackers to disguise and launch phishing attacks from legitimate websites. While certainly noteworthy, it was not until Fox News picked up the story and ran with it that the observations from the original piece went viral and become fodder for a seemingly endless number of websites.

It certainly caught my attention. Coming hard on the heels of the justifiable ruckus the past several days over the Heartbleed Bug, given the popularity of using popular social sites as simple to use and remember keys to getting on other sites if compromised would wreak major havoc. The problem with the story since it has cascaded into a level of hysteria is that it is looking to be a tempest in a tea pot. In fact, Jing amped up the noise on this in discussions with CNET saying that there were no companies interested in fixing the issue. 

Why do I say this? The answer is contained in a very thorough investigative posting on May 2 by ZDNet blogger John Fontana, titled, “Covert Redirect mostly hype and certainly no Heartbleed.” You should read the Fontana posting if for no reason than for peace of mind. In addition, it is worth a read since as Fontana points out, this is a known vulnerability for which fixes exist, and steps are also being taken by various parties to get industry conformance around best practices to make things even tougher for the bad guys.

Without minimizing the potential problems with “Covert Redirect” if you are not careful, as big a concern here is that this is another instance where a rush to judgment sensationalized the original and its wide replication compounded things despite, in this case, the existence of the Fontana article. It seems the predilection to let a more detailed investigation get in the way of a good story is simply irresistible.

None of us are perfect. As a professional who enjoys the competition with other media outlets on getting stories fast and creating headlines that get page views, I will admit to having been over-zealous myself on more than one occasion. I can also relate that I have corrected the errors of my ways in such instances. The problem is that invariably the incorrect information becomes widespread and the correction, or anything that contradicts the prevailing narrative, tends to be ignored.

This is why the repetition of the storyline about how malicious “Covert Redirect” could be days after its revelation and it juxtaposition with the Fontana posting is discouraging. A little redirect could have calmed the waters. 

Edited by Maurice Nagle
Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More