A major new vulnerability has been discovered in security protocols OAuth 2.0 and OpenID while the internet is still reeling from the Heartbleed bug.
Ph.D student Wang Jing of Nanyang Technological University in Singapore spotted a bug that allows hackers to use phishing techniques in an attempt to steal login details without users knowing.
The bug essentially allows cybercriminals to use real website authentication to power a phishing popup, instead of the more common tactic of faking the domain. In the process, hackers will receive the user's login credentials.
The vulnerability affects many major websites, including Facebook, Google, Yahoo, LinkedIn, PayPal, and Microsoft.
Facebook dismissed the threat when contacted by Wang, suggesting it would be impossible to plug the hole in the short term. Other firms like Google and Microsoft are either tracking the bug or have already concluded investigations.
A workaround would involve using a whitelist for all applications on a website, but this would negatively affect the user experience. Until this is fixed, users are advised to be careful about entering login details in popup windows prompted by applications.
The vulnerability comes in the wake of the Heartbleed bug, seen by many as the worst security threat to face the internet. Most top websites have already patched it, but now they have to worry about another security headache.