OAuth and OpenID logon tools exposed major vulnerabilities

A few weeks ago, the "Heartbleed" vulnerability exposed by the OpenSSL website encryption tool has turned the entire internet security field back. Although most websites fix it as soon as possible, a new problem emerges. One security researcher discovered two major vulnerabilities on the login system, but it was much more difficult to fix them than Heartbleed.

Add OAuth support for Nginx (nginx-lua)

OpenID authentication for Spring Security learning

According to Cnet, a doctoral student named Wang Jing from Singapore Nanyang Technological University found the "Covert Redirect" vulnerability of OAuth and OpenID open source login tools ).

This allows attackers to create a pop-up logon window using the real site address, instead of using a fake domain name, to lure netusers into entering their personal information.

Given that OAuth and OpenID are widely used by major companies, such as Microsoft, Facebook, Google, and LinkedIn, Wang said he has already reported to these companies.

Wang claims that Microsoft has provided a response, investigating and confirming that the problem lies in a third-party system, rather than the company's own site.

Facebook also said, "the repair of these two problems still cannot be completed in a short period of time, and each application platform must be forced to use a whitelist ".

As for Google, the company is expected to track the issue of OpenID, while LinkedIn claims that it will soon describe the issue in its blog.

The irony is that Microsoft, Google, and other technology companies announced just a few days ago that "Funding open source security system research to avoid another Heartbleed crisis.

This article permanently updates the link address: