How do you log in to the services? Because a recently revealed Facebook exploit could change the way you do things in the future…
In a revealing blog post, security researcher Youssef Sammouda revealed that chaining Gmail’s OAuth authentication code with vulnerabilities in Facebook allowed it to hijack Facebook accounts when users logged in with their Gmail credentials.
Speaking to The Daily Swing, Sammouda explained that he was able to use redirects in Google OAuth and chain them together with elements of Facebook’s logout, checkpoint and sandbox systems to break into Accounts. He explained that although he demonstrated proof of concept with Gmail credentials, “it was possible to target all Facebook users”
Sammouda says Facebook paid him a “bug bounty” of $44,625 for his disclosure of the vulnerability in February. Facebook then patched it in March, although it was only made public this week.
And while he’s not directly responsible for the exploit, the fact that OAuth was chained to the Facebook vulnerability highlights this popular security standard and the additional risks it carries.
What is OAuth? The name derives from “Open Authorization” and it is an open standard adopted by many of the world’s largest technology companies, including Amazon, Microsoft, Twitter, Google and many more. Its calling card is convenient: It allows users to link their existing accounts with a major tech company to third-party sites for registration and use those credentials to log in. No new account is required.
And this is where the concerns arise. Commenting on Sammouda’s findings, security vendor Malwarebytes Labs issued a warning to anyone using linked accounts:
“Linked accounts were invented to make logging in easier,” writes Pieter Arntz, the company’s Malware Intelligence Researcher. “You can use an account to sign in to other apps, sites, and services… All you have to do to access the account is confirm that the account is yours.”
“We wouldn’t recommend it, because if someone gets the one password that controls them all, you’ll be in even more trouble than if a single site’s password were compromised,” he explains.
That’s it in a nutshell and OAuth is far from impenetrable. Here’s a how-to guide to exploiting vulnerabilities in OAuth authentication. All of this raises a serious convenience-security puzzle, and I’m leaning towards the safety side.
The good news is that it is possible to unlink accounts. In the case of Facebook, go to: Settings & Privacy > Settings > Account Center button > Accounts & Profiles. Similar dissociation processes may be used on other third-party sites.
Follow Gordon on Facebook
Learn more about Forbes