Webmasters and security experts must deal with yet another vulnerability affecting a popular open-source software. Named Covert Redirect, it affects authentication software OpenID and authorization software OAuth, making visitors to websites vulnerable to phishing attacks that try to trick users into revealing private information
VentureBeat says the vulnerability was discovered by Wang Jing, a doctoral student in Singapore.
eBay has not yet responded to our inquiry about a possible impact from the vulnerability. Update: eBay spokesperson Ryan Moore said the OAuth 2.0 and OpenID vulnerabilities have no impact on eBay, and eBay accounts remain secure.
A PayPal spokesperson referred us to a statement from PayPal’s Chief Technology Officer James Barrese:
As always, it’s important to us to keep our customers informed, connected and aware of how we’re addressing any concerns you have with our products or services.
When we heard that security researchers recently discovered a vulnerability in open source login tools OAuth 2.0 and OpenID (which are widely used by many websites and web services, including some offered by PayPal) we moved quickly to determine the impact to our customers. We have carefully investigated this situation and can tell you that this vulnerability has no impact on PayPal and your PayPal accounts remain secure.
We take the responsibility of keeping your financial details protected very seriously at PayPal. When PayPal implemented OAuth2.0/OpenID, we engineered additional security measures to protect our merchants and customers. These measures protect PayPal customers from this specific OAuth2.0/OpenID vulnerability.
We want to reassure you that if your PayPal account is accessed without your permission, PayPal will help you resolve the problem and will cover 100% of any eligible transactions to keep your money secure.
Mashable says it’s not a new problem and quotes a developer who says the problem comes with how certain companies choose to implement OAuth, not with the framework itself. But clearly a type of vulnerability average users should know about in order to protect themselves.