Saturday, March 16, 2019

Why Using Facebook's OAuth functionality Might not be Wise

I've worked in the tech industry for 25 years. I’m NEVER going to use Facebook to log in to third-party apps and sites online. You should pay attention to the reasons why.

First - who wants FB to know what else you're doing on the internet? It's none of their business. Don't blame the authors of OAuth (Open Authentication). They have done a great job of making it easier to access the web by not having to set up yet another set of login credentials. OAuth is a good idea. It is the implementation, or more precisely who implements it, that scares me.

I use Google OAuth but may rethink this as well. Luckily, Google (to my knowledge) has never revealed my date to malicious entities.

Facebook has, on the other hand, had numerous beaches with accounts being hacked reaching tens of million accounts.  Facebook’s announcement last fall that a security breach allowed hackers to infiltrate the accounts of at least 50 million users, and possibly tens of millions more. The attackers could have gained access to Facebook and possibly, ipso facto, any other accounts you use OAuth for.  This had been noted in a New York Times article where the author states the true magnitude of the danger.  At the time of the article, neither Facebook nor third-party sites seem to be able to measure the true extent of the breach.

The major concern for me is that tech giants security departments tend not to make their processes and procedures public. Once an attack has occurred, all OAuth tokens of affected accounts should be immediately invalidated.  This would require automation to expedite the response as hackers can automate the attack vectors.  A clever attacker could feed each compromised account into a process that forked several new processes to try accessing other targetted accounts.

Complicating this further, many friends I know have admitted they use the same passwords for multiple systems.  Some change their online banking, eBay and PayPal to higher standards, however many do not.  The belief here is that online banking is an A1 priority target for hackers.  Of course, anyone who has read Mitnick's articles on social hacking knows that Facebook and other social media sites can easily be leveraged by clever hackers.

The takeaway here is to take an inventory of which sites you have relied on OAuth for and with which account, then perform your own security audit.  After digesting the contents of this post, I hope it will illuminate some of the potential risks.