Tag Archives: Security

Covert Redirect bug (OAuth / OpenID) – What you need to know …

“… it’s not easy to fix, and any effective remedies would negatively impact the user experience. Just another example that Web security is fundamentally broken and the powers that be have little incentive to address the inherent flaws.” – Jeremiah Grossman, founder and interim CEO at WhiteHat Security

List of site affected.

CNET / Wang Jin

If you visit a lot of different websites, you’ve probably seen some that allow you to login using your Facebook or Google accounts. This is meant to make it easier for everyone; you don’t have to create a new account and remember a separate password and the site owners don’t have to maintain their own membership system.

Unfortunately, there’s a security flaw in the software that enables websites to accept your login information from other sites. Just like with the Heartbleed bug, this is in open-source software used by a number of popular websites. This time, it’s the OAuth and OpenID software and the bug enables “phishing” sites, websites that are specifically designed to get people’s personal information usually by mimicking reputable sites, to grab the Facebook / Google / etc. login information that you enter and then redirect you to a malicious website. This could enable the hackers to get a fair amount of your information or even take over your accounts on the legitimate sites.

Continue reading

The Heartbleed Bug – What You Need to Know Now

HeartbleedOne week ago, it was announced that a new security threat had been discovered on the Internet, one that has affected many of the most commonly used sites such as Facebook and Instrgram. This threat, known as the Heartbleed bug, was discovered by a member of Google’s security team and researchers from a company called Codenomicon which subsequently named and publicized the bug in order to prompt affected sites to apply the needed fixes.

Not surprisingly, there was a lot of immediate confusion, hysteria and misinformation making the rounds. Now that the dust has settled a little, here is what you as an Internet user still need to know in order to keep your information safe.

Continue reading