Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability. Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with “Covert Redirections”. Spoiler alert: there’s no catastrophe.
For those that haven’t heard, this started with a paper and series of blog posts by Wang Jing. Wang describes an attack against websites that use third-party authentication services and are vulnerable to a specific type of Open Redirection. He named this attack “Covert Redirection”.
Covert Redirection attacks are actually only one variant of a much larger group of attacks that can be described as Third-Party Auth Token Thefts. There are two important concepts to understand: third-party authentication or authorization and URL-based data routing.