Facebook exploit may alter your approach of how you register for services.
Youssef Sammouda, a security researcher, showed how combining Gmail’s OAuth authentication code with Facebook vulnerabilities allowed him to hijack Facebook accounts when users checked in with their Gmail credentials.
Sammouda told The Daily Swing that he was able to get into accounts by using redirection in Google OAuth and chaining them with aspects of Facebook’s logout, checkpoint, and sandbox systems.
While he demonstrated the proof of concept using Gmail credentials, he emphasized that “it was possible to target all Facebook users.”
According to Sammouda, Facebook paid him a $44,625 ‘bug reward’ in February for disclosing the vulnerability. Facebook corrected it in March, but it wasn’t made public until this week.
While OAuth was not directly responsible for the exploit, the fact that it was linked to the Facebook flaw highlights this popular security standard and the additional risks it poses.
So, what exactly is OAuth? Many of the world’s major tech businesses, including Amazon, Microsoft, Twitter, Google, and others, have adopted the open standard known as “Open Authorization.”
Its main selling point is convenience: users may link their existing accounts with big tech companies to third-party sites for registration and then sign in with those credentials.
No need to create a new account.
And this is where the issues arise. Malwarebytes Labs, a security firm, issued a warning to anyone who uses connected accounts in response to Sammouda’s findings:
Pieter Arntz, the company’s Malware Intelligence Researcher, writes, “Linked accounts were developed to make logging in quicker.” “You can log in to different apps eg Facebook, websites, and services using the same account… To gain access to the account, simply confirm that it belongs to you.”
“We wouldn’t advocate that because if the one password that controls them all is compromised, you’ll be in even more danger than if only one site’s password is compromised,” he explains.
In a nutshell, this is it, and OAuth is far from impenetrable. Here’s a step-by-step guide to exploiting the flaws in OAuth authentication.
All of this creates a severe convenience vs. security dilemma, and I lean toward security.
The good news is that accounts can be separated. Navigate to Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles on Facebook.
Other third-party sites can be unlinked using similar methods.