Popular login services have a security hole, but Facebook and Microsoft can't fix it

The recent Heartbleed scare caused a huge stir, even though it was effectively fixed before it even happened. There are other sorts of security holes, however, which can't be plugged so readily, and which affected companies therefore have less incentive to publicize. A researcher in Singapore, Wang Jing, claims to have uncovered a potentially serious example of this involving the widely-used login services OAuth and OpenID. He says that he's tried to alert major web services that rely on these platforms, including Facebook, Microsoft and Google, but they're refusing to take responsibility for the issue.

If exploited, the vulnerability inside OAuth and OpenID could reportedly allow a malicious website to use a genuine website -- such as Facebook.com -- to authorize its illicit requests for personal information. Any pop-ups shown to the user asking for their approval, would also appear to be coming from the genuine site. According CNET, Google says it's "tracking the issue," Facebook says it's aware of the problem but solving it is "something that can't be accomplished in the short-term," and Microsoft says it can't fix something that "exists on the domain of a third party."

Other security analysts have corroborated Jing's central finding, but some have described it as a "known WONTFIX" or as a fundamental problem with web security as a whole. Either way, the best advice is to be wary of following links that immediately ask you to login to Google or Facebook, and to close the tab if this happens, in order to prevent redirects. As ever, don't just assume that the sites and services you use every day are necessarily safe -- in the future, we could well look back on these years as the Wild West era of the internet.

[Image credit: Gamma Man/Flickr]