![A Look at 30 Key Cyber Crime Statistics [2023 Data Update]](https://www.thesslstore.com/blog/wp-content/uploads/2022/02/cyber-crime-statistics-feature2-75x94.jpg)
(No Ratings Yet)
Loading...What is ‘Covert Redirect’ and Should You be Worried?
When Heartbleed struck in April, it shook the Internet to its core in an almost literal sense: the vulnerability, which could allow hackers to trick servers into surrendering sensitive data, took advantage of how communications are made online. Now, there’s a new vulnerability in town claiming to be the next core-shaking Internet threat. But is it really? Let’s take a look.
Covert Redirect: A look inside
The vulnerability in question has been dubbed “Covert Redirect,” due to its stealthy tactics. Discovered by Wang Jing, a mathematics PhD student in Singapore, Covert Redirect enables hackers to trick users into surrendering personal information by posing as an authorization window (a popup window which asks for authorization to connect to a third party website or application). If the faux-authorization is successful, the hacker can redirect the user to a website loaded with malicious software. If successfully executed, it can be a damaging attack that steals your login credentials and potentially installs malware on your device.
But that’s the difference between this vulnerability and the infamous Heartbleed: it depends on a lot of “ifs.” The entire success of the attack depends on certain criteria being met, most notably of which is finding a vulnerable application for the hacker to take advantage of. Heartbleed didn’t depend on meeting specific criteria in order to wreak havoc. It was a simple vulnerability that could be exploited by a single line of code.
So if Covert Redirect isn’t as bad as Heartbleed, should you worry?
In terms of severity, Covert Redirect ranks fairly low. That doesn’t mean you shouldn’t be concerned about it, but that you should be wary when someone runs around claiming they’ve found the Web’s next biggest exploit.
Covert Redirect takes advantage of two popular standards used to verify a person’s identity across different websites. Those standards are called OAuth 2.0 and OpenID. Essentially, they take your credentials from one website—say, Facebook—and apply them to a different website—say, The New York Times—so you can login with an existing ID and password, rather than creating a new account.
However, as long as both the service (i.e. Facebook) and the application (i.e. the New York Times) have proper security standards in place, Covert Redirect cannot be executed. This vulnerability requires hackers to track down a vulnerable application or service in order to work. It also requires hackers to conduct a phishing campaign—a large-scale operation that tries to trick users into clicking on links—in order to commence.
Furthermore, the information sought by hackers in Covert Redirect may be of little value: since OpenID and OAuth 2.0 are targeted towards social interactions, the websites and applications requiring verification tend to be social in nature. Few, if any, require banking information in order to open an account. Thus, while hackers may obtain (keyword here being may) your social media login credentials, your bank account should be safe.
Overall, Covert Redirect requires too much work and effort on a hacker’s behalf to get info that’s of little value. So if that’s the case, then why is Covert Redirect attracting so much attention?
Welcome to the new media age
It turns out that Covert Redirect has been known about for some time. All Mr. Jing has done is dress it up in a nice logo and website a la Heartbleed. We can’t pretend to know Mr. Jing’s intentions in re-announcing a known flaw, but the cynic in me suggests that we’re going to see a lot more flashy “new” vulnerabilities discovered by upstart security firms and researchers aiming to attract attention to themselves and their research.
If my hunch is correct, then many people may suffer from vulnerability-fatigue, where news of a new disaster is routine and ignored. And when a real disaster—like Heartbleed—does strike, few will pay attention. And that’s a dangerous situation.
So what can you do to protect yourself when suffer from vulnerability-fatigue? Here are a few tips:
- Install comprehensive security. A comprehensive security system can protect you from phishing attacks and malicious websites by notifying you what websites are safe. In the event of a redirect attack like the one discussed here, McAfee LiveSafe™ service can help by warning you of dangerous websites and monitoring your public information stored online.
- Connect your accounts sparingly. If you still prefer to link websites (or social media accounts) together for easier logins, then do so sparingly. Link your accounts over OAuth 2.0 or OpenID only on websites you trust, and know what information is being shared. Do not put anything on your social media accounts (like Facebook or Google+) that you wouldn’t want anyone else to know.
- Create a variety of passwords for your accounts. Using Covert Redirect, hackers can work to gain access to your social media account credentials. To ensure that more valuable data isn’t obtained, be sure to use different passwords for your social, email, and bank accounts. Passwords should always be greater than 8 characters in length, with a variety of upper and lower case letters, numbers, and special characters. McAfee LiveSafe offers a Password Manager that can help create and remember strong codes.
- Use web protection when surfing online. McAfee SiteAdvisor is a free tool (included with McAfee LiveSafe), that provides you a warning message if you click on a bad link, but before you’re sent to that site. It also provides color-coded ratings on the safety of your browser’s search results and external links found in your Facebook, Google+ and LinkedIn news feeds when viewing from your PC or Mac.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown