The Safety Of Using Your Facebook ID To Sign On To Other Websites
UPDATE: Apparently Paypal was one of the companies affected by some of these OAuth security holes and they just released a fix (Dec 1,2016) for a bug that would allow hackers to steal OAuth tokens from payment apps of third party developers.
Many web sites encourage you to sign on with your social media userid and password. Different sites allow you to use different social media accounts such as Facebook or LinkedIn.
But no matter which social media account you use, the technology behind it, called OAuth 2.0, is the technology that they use to make this happen.
I have never been a fan of doing that, but not for the reason I am about to talk about.
For me, the issue is that, by definition, when you share your credentials with another site, they connect your visits and, of course, sell your data. As an example, if you sign on to sites A, B and C using your Facebook userid and password, then Facebook knows that you are visiting sites A, B and C and it may get other information from those sites as well.
In addition, if you use your Facebook credentials at those sites and any one of the sites where you are using that userid and password has a breach, then all of those sites are compromised. So even if you think that Facebook has good security (and it likely does have better than average security), the weakest link in that chain will compromise ALL of those sites.
Now we have another reason not to “share” userids.
Back in January, researchers at the University of Trier found two security glitches in the OAuth protocol and made recommendations on how to fix the bugs. Whether any given site has, in fact, fixed those bugs is unknown and impossible for you as a user to tell.
Now researchers have identified 4 bugs in OAuth that compromise the security in the system and, of course, since that paper is available in the SANS library, hackers know about it also.
OAuth was designed to allow users to log in to web sites, but now it is being used for mobile apps. In addition, it turns out that the OAuth specification is complex and convoluted, so, apparently, many developers have not implemented it correctly in the mobile space.
Researchers looked at 600 Android apps. They used Android apps not because they are more or less secure, but rather it was easier to look at the code because of the Android architecture.
Of those 600 mobile apps, 182 allowed the user to log on using their social media accounts. For those apps that allowed the user to log on using their social media userids and passwords, 41% of them had security issues with their implementation OAuth. For example, developers did not check the validity of the information sent from the ID provider. Other developers only looked at the returned ID and didn’t bother to see if the developer said that the credentials were valid. There were a number different security issues.
While that 41% amounted to only 75 apps, scale that up to the millions of apps out there and you can see that this could be a big problem.
Unlike SSL, where there are organizations like SSL Labs website where you can test any web site’s implementation of SSL – at least to a degree – there is no equivalent way to test any particular web site OR MOBILE APP’s implementation of OAuth.
As we said, while these tests were done with Android apps, there is no reason to believe that developers coded their OAuth implementations any better on Apple devices than on Google devices.
So if you weren’t squeamish about logging on to some random website using your social media userid and password before, you may be now. Of course, if you follow best practice and do not share passwords across web sites, then using social media IDs and passwords at different sites violates that rule.
Just food for thought.
Information for this post came for SC Magazine, SANS reading room and Forbes.