A recently discovered error in its authentication code and its possible exploits can make users rethink.
Speaking to The Daily Swing, security researcher Youssef Sammouda has revealed a set of flaws in the authentication code that Gmail uses, which has allowed him to exploit the vulnerabilities of Facebook. He reveals that this can be used to hijack any Facebook account that uses Gmail credentials as log-in info. The scope of the damage that could be done through the wrong exploitation of this vulnerability can only be imagined.
Sammouda explained that he was able to use the redirection used by Google’s OAuth and then link it with Facebook’s logout, sandbox and checkpoint systems to hijack Facebook accounts. The OAuth that Google uses is a part of the standard “Open Authorisation” program simultaneously shared by giant corporations such as Twitter, Amazon, etc. in their log-in protocol. This Open Authorisation allows users to log into their accounts held by these tech giants with pre-existing user IDs and passwords. For example, we can use our Google accounts to sign up and log into Amazon and Facebook accounts to sign up and log into Spotify. A breach in this system would hint at the collapse of the security of an unprecedented area of the internet, putting the privacy and information of millions at risk, if not more.
Sammouda was paid for informing about this issue, a fee also called the “bug-bounty”. Facebook has consequently fixed the issue from their side, blocking this route of hijacking accounts. Google is yet to respond about their part in preventing the exploitation of their OAuth but we can expect action towards shutting the prospect of this exploit down.
Reacting to this newfound information about the vulnerabilities, security provider Malwarebytes Labs issued a warning. “Linked accounts were invented to make logging in easier”, explains Pieter Arntz, the company’s Malware Intelligence Researcher. They stated, “You can use one account to log in to other apps, sites and services... All you need to do to access the account is confirm that the account is yours”. They advised, “We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised”.
This news is sure to make anyone question the integrity of the promises of security that these sites make. It is obvious that Open Authorisation was introduced for the convenience of the users but this seeing as this convenience can come at a great cost, many users would like to manually log in instead of leaving it at the hands of potentially corruptible systems. The good news for them, most sites allow their users to unlink. For Facebook, one can do this by navigating like this: Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles.
To conclude, we are humbly reminded that the internet is a place where operating anything can put our privacy and security at risk. We have been schooled to not share our information from a young age but it’s time to think about putting that into practice. Today it was one exploit, tomorrow there might be another. That, however, doesn’t mean that everyone and every system is out to get you. There are many engineers working tirelessly for our convenience, like Sammouda and the people at Facebook who were quick to solve the issue. We should concern for our safety but not be ungrateful either.