download (2)

OAuth 2.0 and OpenID Security Flaw: A Simple Solution

Before Heartbleed’s 15 minutes of fame were up, another internet security concern made its presence known. The OAuth and OpenID security flaw is the latest in a string of Internet security issues. It’s hard to keep up at this point. While some are blowing it off as no big deal, there are a few things you should know.


OAuth and OpenID? What are they?

You might be thinking that this does not affect you in the least. However, if you have ever logged into a website through your Facebook, Twitter or Google+ credentials without actually creating a new account, then congratulations: You just used either OAuth (2.0) or Open ID.

Remember when you thought it was so cool that you could log into Soundcloud without having to create an account? Yeah, you just used these programs. Many sites use these programs as they make signing in very easy and hence, websites such as Yahoo, PayPal and LinkedIn have started to utilize these programs.


What is the flaw?

The notorious bad guys of the internet, the cyber criminals, have started using phishing links in order to trick users into authorizing a site or even an app. See, once you visit a website and you click on the authorization button, instead of your data being transmitted to the website to let you log in, it will instead be sent to the hacker.

Such data can include your contact list, email address and most importantly, your password. The most worrying aspect of this flaw, called Covert Redirect, is that instead of using fake domains, it uses the real website which can make the threat very difficult to be determined.

How can I avoid it?

Take a look at these posts about staying safe on the web HERE and HERE.

  • Here’s the good news: You can easily avoid the problem by creating your own account on any new website that you encounter, instead of using your Facebook, Google or Twitter credentials to log in to the website.


  • Here’s the bad news: There is no current solution on the horizon to take care of the problem. Unfortunately, the websites involved have little incentive to try and take care of the problem. Their belief is that the costs incurred are not worth it and any changes made will further inconvenience the users and hence, fixing the flaw is not a high priority.


How serious you take this issue is up to you. As always, if you have several layers of security in place, it may not be an issue. If not, you should probably be cautious and try to avoid logging into sites via your Twitter or Facebook accounts. You’re pretty much on your own here, so use your discretion. This is no heartbleed, sure, but that doesn’t necessarily translate to benign either.


Just do yourself a favor and (I’ll say it again) DON’T BE LAZY. Create accounts and stop using Twitter and Facebook to sign in everywhere. (Confession: I’m guilty of it myself.)

Have you ever had your Facebook or Twitter accounts compromised? Do you use third party sign in options?

Posted by:


Back to Top