November 25, 2016
3rd Party Sign-in with Facebook or Google May Have Security Flaw
If you own your own business, then odds are good that you’ve taken advantage of the “Sign in With Facebook” (or Google) API. It’s fast, it’s convenient and it’s one less thing to worry about.
It gives your users an automatic way to sign onto your site, meaning that they don’t have yet another password to keep track of. That’s win-win, right?
It would be, except for the fact that the technology is often misused or incorrectly applied, leaving the door open for the hackers, and making it easy to intercept password information. If that happens, the convenience of using Facebook or Google’s sign-in API works against you.
Security professionals have been shouting from the mountain tops for months about how dangerous it is to use the same password across multiple accounts. While it takes on a slightly different form, that’s exactly what a Google/Facebook sign in is, and once the hackers have your Facebook password, they can get into a number of other sites you use.
The attack is accomplished via a “man in the middle” approach that allows hackers to sign into a victim’s app using their own credentials.
Once logged in, the hackers can make use of any site the user logs onto via Facebook or Google. If you’ve linked your banking information to those sites, then the hackers will have access to those accounts. They can go shopping, book a vacation and basically do anything you would normally do when you sign onto those sites legitimately.
In a recent survey of the top 600 US and Chinese mobile aps, it was found that more than 40% (41.2%) can easily be compromised in just this fashion.
The level of exposure is staggering. This could impact more than a billion mobile devices, worldwide.
If you make use of Facebook and/or Google’s sign-in API in the conduct of your business, it’s time to do a review. You may be putting your clients at risk without realizing it.