New Vulnerability in OAuth and OpenID?

New Vulnerability in OAuth and OpenID?

I’ve had a few people ask me about the vulnerability reported on Phys.Org in OpenID and OAuth. This is not inherently a vulnerability in OpenID, but rather a potential way to get information from a website that both implements an open redirect (a big no-no) and OAuth or OpenID.

What does this mean? Are are you safe and secure using OAuth and OpenID?  The truth is OAuth and OpenID have very little to do with the vulnerability reported on.  What users should be worried about is using a website or service that implements an open redirect.  Does anyone have an example of a mainstream website that uses open redirects?  Normally when one is detected, the service will fix it immediately.

You are NOT giving a potential attacker carte blanche with your OpenID credentials all over the Internet.  The headline stating that a “math student” found the vulnerability implies that it was related to math or cryptography.  That is simply not the case.

TL;DR OAuth and OpenID are not vulnerable. Sites with open redirects are the security vulnerability.

Michael Hull
No Comments

Post a Comment