#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

open redirect vulnerability | Breaking Cybersecurity News | The Hacker News

Nasty Covert Redirect Vulnerability found in OAuth and OpenID

Nasty Covert Redirect Vulnerability found in OAuth and OpenID

May 03, 2014
After Heartbleed bug , a security flaw in widely used open-source software OpenSSL that puts countless websites at risk, another vulnerability has been found in popular authentication software OpenID and authorization software OAuth. Wang Jing , a Chinese mathematics Ph.D student at the Nanyang Technological University in Singapore, found that the OAuth and OpenID open source login tools are vulnerable to the " Covert Redirect " exploit. The login tools ' OAuth ' and 'OpenID' protocols are the commonly used open standard for authorization. OAuth designed as a way for users to sign in or sign up for other services using an existing identity of a site such as Google, Facebook, Microsoft or Twitter, whereas OpenID is a decentralized authentication system for the Internet that allows users to log in at websites across the internet with same digital identity. The Covert Redirect vulnerability could affect those who use 'OAuth' and 'OpenID' protocols to 'login' to the websites
Facebook Open URL Redirection vulnerability

Facebook Open URL Redirection vulnerability

Nov 16, 2013
Security Researcher Dan Melamed discovered an Open URL redirection vulnerability in Facebook that allowed him to have a facebook.com link redirect to any website without restrictions. An open URL Redirection flaw is generally used to convince a user to click on a trusted link which is specially crafted to take them to an arbitrary website, the target website could be used to serve a malware or for a phishing attack . An Open URL Redirection url flaw in Facebook platform and third party applications also exposes the user's access token at risk if that link is entered as the final destination in an Oauth dialog . The Facebook Open URL Redirection vulnerability exists at landing.php  page with " url " parameter, i.e. https://facebook.com/campaign/landing.php?url=https://yahoo.com This URL will always redirects user to the Facebook 's homepage, but it is sufficient to manipulate the "url" parameter assigning a random string: https://facebo
6 Ways to Simplify SaaS Identity Governance

6 Ways to Simplify SaaS Identity Governance

Feb 21, 2024SaaS Security / Identity Management
With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can't possibly become experts in the nuances of the native security settings and access controls for hundreds (or thousands) of apps. And, even if they could, the sheer volume of tasks would easily bury them. Modern IT teams need a way to orchestrate and govern SaaS identity governance by engaging the application owners in the business who are most familiar with how the tool is used, and who needs what type of access.  Nudge Security is a  SaaS security and governance solution  that can help you do just that, with automated workflows to save time and make the process manageable at scale. Read on to learn how it works. 1 . Discover all SaaS apps used b
Spam campaign tricking thousands with shortened .gov URLs

Spam campaign tricking thousands with shortened .gov URLs

Oct 21, 2012
Symantec has reported an increase in spam messages containing .gov URLs. Cybercriminals are using 1.usa.gov links in their spam campaigns to trick users into thinking the links lead to genuine US government Web sites. Spammers have created these shortened URLs through a loophole in the URL shortening service provided by bit.ly. USA.gov and bit.ly have collaborated, enabling anyone to shorten a .gov or .mil URL into a trustworthy 1.usa.gov URL. The click rate of the campaign has been significant, redirecting more than 16,000 victims over a five day period to a malicious website designed to look like a CNBC news article pushing several work from home scams. According to researchers from security firm Symantec , they simply leveraged an open-redirect vulnerability present on the official government site of Vermont (Vermont.gov) . Therefore, something like 1.usa.gov/…/Rxpfn9 takes you to labor.vermont.gov/LinkClick.aspx?link=[spam site] which then redirects you to the sp
cyber security

NIST Cybersecurity Framework: Your Go-To Cybersecurity Standard is Changing

websiteArmorPointCybersecurity / Risk Management
Find everything you need to know to prepare for NIST CSF 2.0's impending release in this guide.
Cybersecurity Resources