Some media outlets are sounding the alarm about the recently discovered Covert Redirect flaw in OAuth and OpenID being “the next Heartbleed.” Symantec experts have assured people that it’s not.

What is this Covert Redirect flaw? The vulnerability exploits web and mobile applications that allow users to login via OAuth (an application that lets 3^rd parties access account details from other websites, such as social media sites). It allows attackers to disguise a fake login popup, using the affected website’s real domain. These attackers can collect login information from users if they authorize the login, and, even if they don’t, users can be re-directed to a malicious website that could compromise their computer.

People who use popular social media sites to login to web and mobile applications are particularly vulnerable, and, at this time, popular sites have not issued a fix because the solution goes beyond a simple patch. These sites will have to work with 3^rd party vendors to 'white list' applications that are considered safe.

Why is this bug not as bad as Heartbleed? Heartbleed steals information from users without any action taken from the user. Attackers simply need to send requests to unpatched servers. To take advantage of the Covert Redirect flaw, attackers need to trick users into providing their information, and initiate a lot of steps in order to steal information from a user.

As a reminder, it’s important to make sure that all of your security software is up to date. For complete, multi-device protection, get Norton 360 Multi-Device.