With the ‘Covert Redirect’ flaw the basic premise of the attack is to take advantage of a previously-known mis-configuration issue in OAuth and OpenID. One of the most succinct comments about why Covert Redirect is not the same Heartbleed was published by security vendor Symantec in a blog post on May 3.
“The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers,” Symantec stated. “Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.”