Serious security flaw in OAuth, OpenID have been discovered

Another major flaw has been found in popular open-source security software. This time, the holes have been found in the login tools OAuth and OpenID, used by many websites and tech titans like Google, Facebook, Microsoft, and LinkedIn...

Covert Redirect vulnerability was discovered by Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, which let Attackers use the Covert Redirect vulnerability in both open-source login systems to steal your data and redirect you to unsafe sites.

This means if someone clicked on a malicious phishing link, he will get a popup window asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication, and when he authorize the login, personal data (depending on what is being asked for) will be released to the attacker instead of the actual website. Regardless of whether the victim chooses to authorize the app, they will then get redirected to a website of the attacker's choice, which could potentially further compromise the victim.