A faster log-in or a security backdoor!
Navigating the fine line between logging in using Google, Facebook, etc. and credentials exposure.
How many times do we log in via Facebook, Google, or any other third-party authentication service? It’s easy to access many websites, but what do we know about the possible vulnerabilities?
When you see the option to "Sign in with Google" or another similar service on a website or app, it means you can use your existing Google or third-party account to log in, saving you the trouble of creating a new account. You click the button, approve access, and you're in.
It’s a convenient way to access a new website or a new application, but this convenience comes with its own potential risk. Did you ever wonder if this website or application was insecure?
Imagine a well-known website like Grammarly with 30 million daily users, an eCommerce platform in Indonesia with 150 million users like Bukalapak, or a video streaming platform with 100 million monthly active users like Vidio. These aren't one-man operations.
A couple of days ago, a renowned security firm released news about the above-mentioned exploits, all related to social logins and token verification. The vulnerabilities are now fixed, but this makes me ask: what about the other unknown websites that we use this feature to log in to?
Still, what data are they going to recover from such websites? My email? I will only receive a couple annoying ads, right?
That is what I thought as well, but I discovered that the risks are much more prominent.
So, let’s state some of these risks:
1. Phishing Attacks: Cybercriminals may create fake login pages that mimic the Google sign-in page. Unsuspecting users might enter their credentials, unknowingly providing them to malicious actors.
2. Credential Stuffing: Attackers use leaked username and password combinations from previous data breaches to gain unauthorised access to Google accounts. If users reuse passwords across multiple sites, this method becomes more effective.
3. Man-in-the-Middle Attacks: Hackers intercept the communication between the user and the authentication service, allowing them to capture login credentials during the sign-in process.
4. Session Hijacking: Attackers steal session tokens or cookies, enabling them to impersonate the user and gain access to their account without needing the actual login credentials.
5. Insecure OAuth Implementations: If the third-party application does not implement OAuth securely, attackers can exploit vulnerabilities to gain unauthorised access to user accounts.
6. Account Recovery Exploits: If an attacker gains access to the user's recovery email or phone number, they can reset the Google account password, effectively taking over the account.
7. Social Engineering: Attackers might trick users into revealing sensitive information or resetting their passwords by posing as a trustworthy entity, exploiting human psychology to gain unauthorised access.
To mitigate these risks, users should enable two-factor authentication (2FA), regularly update passwords, avoid clicking on suspicious links or emails, and be cautious when granting permissions to third-party applications. Additionally, developers should follow security best practices, implement secure OAuth protocols, and conduct regular security audits to protect users' accounts from exploitation.
Bottomline: If you have the option to either log in using a third party or create an account, I highly advise you to take a bit of your time to create an account from scratch, especially if you don’t know much about these websites’ security.
Stay secure with CYB3R.