Right on the heels of the disaster that was Heartbleed comes another pair of security issues. This time, rather than coming from OpenSSL, our security issue comes to us care of OpenID and OAuth, another pair of open technologies used by a lot of websites.
OpenID is an authentication system which allows you to login to a large number of websites with a single set of credentials. OAuth allows you to authorize an application or website to use your information from another system, such as Facebook or Twitter.
The new issue, dubbed Covert Redirect, was discovered by Wang Jing, a doctoral student at Nanyang Technological University in Singapore. The idea behind the exploit is that, when you click a link that asks for your information from Facebook, the exploiter can gain access to said information as well, without your knowledge or permission. This is because there is no registration for acceptable redirects on success.
So, how can this be fixed? Facebook told Jing that it is a huge problem and that it won't be fixed anytime soon. Jing says,
The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. This makes the systems based on OAuth 2.0 or OpenID highly vulnerable.
These paired vulnerability instances are going to start a conversation that I feel should have started years ago: is having the source code for software available to the public an inherent security issue? The open source community has always maintained that it is not an issue, but anyone who has ever run a WordPress website would disagree with that notion. WordPress is possibly the biggest, most popular open source software in the world, and it is constantly under attack from bot comments who exploit vulnerabilities in the software through code research.
Whether you believe in the value of open source as a concept or not, you can't deny that the easy access to vulnerabilities is a good thing. Take, for example, the recent discovery of an exploit in Internet Explorer, which has been there for many years, but not discovered until recently. There has never been an exploit in WordPress that has existed that long without attack, because it is so easy to find said issues.
Do you have an opinion on either these security issues or the concept of open source security in general? We'd love to hear from you - feel free to comment below.