A few weeks ago, the "Heartbleed" exploit in the OpenSSL website encryption tools was found, which raised major concerns about Internet security as a whole. While that hole was fixed by most sites rather quickly, a new issue that affects two login systems has been discovered by a security researcher, and fixing it may be more difficult.
CNet reports that Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, found that the OAuth and OpenID open source login tools are vulnerable to the "Covert Redirect" exploit. This could allow hackers to create a login popup that uses a real site's address, rather than a fake domain name, to trick web surfers into typing in their personal information.
OAuth and OpenID are used by major technology companies such as Microsoft, Facebook, Google, and LinkedIn. Wang says he has reported the exploit to these companies. He claims Microsoft sent back a response stating that their investigation showed that the problem was on a third party system, rather than its own sites.
Facebook reportedly has told Wang that "short of forcing every single application on the platform to use a whitelist," fixing the OAuth and OpenID issues was "something that can't be accomplished in the short term." Google is supposed to be tracking the issue with OpenID and LinkedIn claims it will have a blog post with its response soon.
Ironically, Microsoft, Google and other tech companies announced a few days ago a plan to help fund research into open source-based security systems in order to prevent another "Heartbleed' crisis.