Looking for the Next Heartbleed in all the Wrong Places

May 06, 2014, 02:00 (0 Talkback[s])
(Other stories by Sean Michael Kerner)

With the 'Covert Redirect' flaw the basic premise of the attack is to take advantage of a previously-known mis-configuration issue in OAuth and OpenID. One of the most succinct comments about why Covert Redirect is not the same Heartbleed was published by security vendor Symantec in a blog post on May 3.

"The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers," Symantec stated. "Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users."

Complete Story

Related Stories:

• Heartbleed coder admits oversight but backs open source(Apr 11, 2014)
• Heartbleed: for hundreds of thousands of servers at risk around the world from catastrophic bug(Apr 09, 2014)
• Heartbleed and Heartache in FOSS Town(Apr 22, 2014)
• Will Open-Source Money Prevent the Next Heartbleed?(Apr 15, 2014)
• Heartbleed: Open source's worst hour(Apr 15, 2014)
• Dear Ubuntu Users, Stop Saying the Ubuntu Is Unprotected Against the Heartbleed Exploit(Apr 16, 2014)