OpenAuth/OpenID flaw – ok, now what?

It seems like the latest big security story is a newly discovered flaw in the OAuth and OpenID protocols which allow users to authenticate to third party web sites using their account on another web site like Google, LinkedIn or Facebook.  Apparently, it is relatively easy for attackers to create an attack via a phishing email with a link to a site which then asks the user to authenticate (to the fake site) using their Google account (or any other identity provider which supports OAuth and OpenID).  The authentication pop up will look legitimate – it will actually seem to point to the identity provider’s web site, but it will, in fact, deliver the unsuspecting user’s credentials to the attacker.

So what do we, as security professionals, do with this information?  Given the “behind the scenes” nature of the issue, and the fact that there is no cue to the user that a particular site is trying to use the flaw to gather credentials, we are stuck with telling our users to “be more careful” about using their Google/Facebook/LinkedIn etc. credentials to log in to sites.  Well, that’s pretty darn vague.  I guess the best advice to give people would be not to set up any new site credentials using OAuth/OpenID  until the problem has been fixed.

This is a classic example of the tradeoffs we make between security and privacy.  While logging in to multiple sites using credentials from a “trusted” provide makes life easier for the web user, he or she also risks having the security of all of their accounts linked to that ID compromised when that one provider suffers a security breach or there is a problem with the underlying technology.   This is one of the many reasons we need to move away from password authentication and  come up with easy to use 2 factor login methods to reduce the risk associated with weak/stolen passwords.

OpenAuth/OpenID flaw – ok, now what?

Leave a Reply