What is ‘Covert Redirect’ and Should You be Worried?
When Heartbleed struck in April, it shook the Internet to its core in an almost literal sense: the vulnerability, which could allow hackers to trick servers into surrendering sensitive data, took advantage of how communications are made online. Now, there’s a new vulnerability in town claiming to be the next core-shaking Internet threat. But is it really? Let’s take a look.
Covert Redirect: A look inside
The vulnerability in question has been dubbed “Covert Redirect,” due to its stealthy tactics. Discovered by Wang Jing, a mathematics PhD student in Singapore, Covert Redirect enables hackers to trick users into surrendering personal information by posing as an authorization window (a popup window which asks for authorization to connect to a third party website or application). If the faux-authorization is successful, the hacker can redirect the user to a website loaded with malicious software. If successfully executed, it can be a damaging attack that steals your login credentials and potentially installs malware on your device.
But that’s the difference between this vulnerability and the infamous Heartbleed: it depends on a lot of “ifs.” The entire success of the attack depends on certain criteria being met, most notably of which is finding a vulnerable application for the hacker to take advantage of. Heartbleed didn’t depend on meeting specific criteria in order to wreak havoc. It was a simple vulnerability that could be exploited by a single line of code.
So if Covert Redirect isn’t as bad as Heartbleed, should you worry?
In terms of severity, Covert Redirect ranks fairly low. That doesn’t mean you shouldn’t be concerned about it, but that you should be wary when someone runs around claiming they’ve found the Web’s next biggest exploit.
Covert Redirect takes advantage of two popular standards used to verify a person’s identity across different websites. Those standards are called OAuth 2.0 and OpenID. Essentially, they take your credentials from one website—say, Facebook—and apply them to a different website—say, The New York Times—so you can login with an existing ID and password, rather than creating a new account.
However, as long as both the service (i.e. Facebook) and the application (i.e. the New York Times) have proper security standards in place, Covert Redirect cannot be executed. This vulnerability requires hackers to track down a vulnerable application or service in order to work. It also requires hackers to conduct a phishing campaign—a large-scale operation that tries to trick users into clicking on links—in order to commence. Furthermore, the information sought by hackers in Covert Redirect may be of little value: since OpenID and OAuth 2.0 are targeted towards social interactions, the websites and applications requiring verification tend to be social in nature. Few, if any, require banking information in order to open an account. Thus, while hackers may obtain (keyword here being may) your social media login credentials, your bank account should be safe.
Overall, Covert Redirect requires too much work and effort on a hacker’s behalf to get info that’s of little value. So if that’s the case, then why is Covert Redirect attracting so much attention?
Welcome to the new media age
It turns out that Covert Redirect has been known about for some time. All Mr. Jing has done is dress it up in a nice logo and website a la Heartbleed. We can’t pretend to know Mr. Jing’s intentions in re-announcing a known flaw, but the cynic in me suggests that we’re going to see a lot more flashy “new” vulnerabilities discovered by upstart security firms and researchers aiming to attract attention to themselves and their research.
If my hunch is correct, then many people may suffer from vulnerability-fatigue, where news of a new disaster is routine and ignored. And when a real disaster—like Heartbleed—does strike, few will pay attention. And that’s a dangerous situation.
So what can you do to protect yourself when suffer from vulnerability-fatigue? Here are a few tips:
- Install comprehensive security. A comprehensive security system can protect you from phishing attacks and malicious websites by notifying you what websites are safe. In the event of a redirect attack like the one discussed here, McAfee LiveSafe™ service can help by warning you of dangerous websites and monitoring your public information stored online.
- Connect your accounts sparingly. If you still prefer to link websites (or social media accounts) together for easier logins, then do so sparingly. Link your accounts over OAuth 2.0 or OpenID only on websites you trust, and know what information is being shared. Do not put anything on your social media accounts (like Facebook or Google+) that you wouldn’t want anyone else to know.
- Create a variety of passwords for your accounts. Using Covert Redirect, hackers can work to gain access to your social media account credentials. To ensure that more valuable data isn’t obtained, be sure to use different passwords for your social, email, and bank accounts. Passwords should always be greater than 8 characters in length, with a variety of upper and lower case letters, numbers, and special characters. McAfee LiveSafe offers a Password Manager that can help create and remember strong codes.
- Use web protection when surfing online. McAfee® SiteAdvisor® is a free tool (included with McAfee LiveSafe), that provides you a warning message if you click on a bad link, but before you’re sent to that site. It also provides color-coded ratings on the safety of your browser’s search results and external links found in your Facebook, Google+ and LinkedIn news feeds when viewing from your PC or Mac.