Serious hard-to-fix bug in OAuth and OpenID discovered, lots of major sites affected
Just a short notice rather than a real article, full story later (I need to check the facts): Several sources are posting about a recently discovered hard-to-fix bug in the extremely popular open-source authentication libraries/services OAuth and OpenID, used by lots of AAA-level sites, from PayPal to Facebook. Articles: cnet - Serious security flaw in OAuth, OpenID discovered lifehacker - Security Flaw Found in OAuth and OpenID, Here’s What It Means for You (german) zdnet - Schwere Sicherheitslücke in OAuth und OpenID entdeckt Huge info-page by Wang Jing, the guy who has discovered the bug: http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html YouTube channel (of Wang Jing), showing reproduceable examples (on Facebook, LinkedIn and Google): https://www.youtube.com/user/tetraph Info video: https://www.youtube.com/watch?v=HUE8VbbwUms Reproduceable examples (taken from the above YouTube channel) https://www.youtube.com/watch?v=iif6eq2cvso https://www.youtube.com/watch?v=Y2-2Scp0pbs https://www.youtube.com/watch?v=GyNGBuHNoJ0