{"id":35257,"date":"2014-05-06T14:18:07","date_gmt":"2014-05-06T21:18:07","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=35257"},"modified":"2025-08-31T23:07:01","modified_gmt":"2025-09-01T06:07:01","slug":"what-is-covert-redirect","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/internet-security\/what-is-covert-redirect\/","title":{"rendered":"What is \u2018Covert Redirect\u2019 and Should You be Worried?"},"content":{"rendered":"

When Heartbleed struck in April, it shook the Internet to its core in an almost literal sense: the vulnerability, which could allow hackers to trick servers into surrendering sensitive data, took advantage of how communications are made online<\/a>. Now, there\u2019s a new vulnerability in town claiming to be the next core-shaking Internet threat. But is it really? Let\u2019s take a look.<\/p>\n

Covert Redirect: A look inside<\/strong><\/p>\n

The vulnerability in question has been dubbed \u201cCovert Redirect,\u201d due to its stealthy tactics. Discovered by Wang Jing, a mathematics PhD student in Singapore, Covert Redirect enables hackers to trick users into surrendering personal information by posing as an authorization window<\/a> (a popup window which asks for authorization to connect to a third party website or application). If the faux-authorization is successful, the hacker can redirect the user to a website loaded with malicious software<\/a>. If successfully executed, it can be a damaging attack that steals your login credentials and potentially installs malware on your device.<\/p>\n

But that\u2019s the difference between this vulnerability and the infamous Heartbleed: it depends on a lot of \u201cifs.\u201d The entire success of the attack depends on certain criteria<\/a> being met, most notably of which is finding a vulnerable application for the hacker to take advantage of. Heartbleed didn\u2019t depend on meeting specific criteria in order to wreak havoc. It was a simple vulnerability that could be exploited by a single line of code.<\/p>\n

So if Covert Redirect isn\u2019t as bad as Heartbleed, should you worry?<\/strong><\/p>\n

In terms of severity, Covert Redirect ranks fairly low. That doesn\u2019t mean you shouldn\u2019t be concerned about it, but that you should<\/i> be wary when someone runs around claiming they\u2019ve found the Web\u2019s next biggest exploit.<\/p>\n

Covert Redirect takes advantage of two popular standards used to verify a person\u2019s identity across different websites. Those standards are called OAuth 2.0 and OpenID. Essentially, they take your credentials from one website\u2014say, Facebook\u2014and apply them to a different website\u2014say, The New York Times\u2014so you can login with an existing ID and password, rather than creating a new account.<\/p>\n

However, as long as both the service (i.e. Facebook) and the application (i.e. the New York Times) have proper security standards in place, Covert Redirect cannot be executed. This vulnerability requires hackers to track down a vulnerable application or service in order to work. It also requires hackers to conduct a phishing<\/a> campaign\u2014a large-scale operation that tries to trick users into clicking on links\u2014in order to commence. Furthermore, the information sought by hackers in Covert Redirect may be of little value: since OpenID and OAuth 2.0 are targeted towards social interactions, the websites and applications requiring verification tend to be social in nature. Few, if any, require banking information in order to open an account. Thus, while hackers may obtain (keyword here being may<\/em>) your social media login credentials, your bank account should be safe.<\/p>\n

Overall, Covert Redirect requires too much work and effort on a hacker\u2019s behalf to get info that\u2019s of little value. So if that\u2019s the case, then why is Covert Redirect attracting so much attention?<\/p>\n

Welcome to the new media age<\/strong><\/p>\n

<\/b>It turns out that Covert Redirect has been known about for some time<\/a>. All Mr. Jing has done is dress it up in a nice logo and website a la Heartbleed. We can\u2019t pretend to know Mr. Jing\u2019s intentions in re-announcing a known flaw, but the cynic in me suggests that we\u2019re going to see a lot more flashy \u201cnew\u201d vulnerabilities discovered by upstart security firms and researchers aiming to attract attention to themselves and their research.<\/p>\n

If my hunch is correct, then many people may suffer from vulnerability-fatigue, where news of a new disaster is routine and ignored. And when a real disaster\u2014like Heartbleed\u2014does strike, few will pay attention. And that\u2019s a dangerous situation.<\/p>\n

So what can you do to protect yourself when suffer from vulnerability-fatigue? Here are a few tips:<\/p>\n