Gmail is the world’s most popular email service, it is also known as one of the most secure. But a dangerous exploit might make you rethink how you want to use the service in future.
In an eye-opening blog post, security researcher Youssef Sammouda has revealed that Gmail’s OAuth authentication code enabled him to exploit vulnerabilities in Facebook to hijack Facebook accounts when Gmail credentials are used to sign in to the service. And the wider implications of this are significant.
Speaking to The Daily Swing, Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook’s logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the ‘Open Authorization’ standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants.
Sammouda reports no vulnerabilities using other email accounts. He does stress that it could potentially be applied more widely “but that was more complicated to develop an exploit for.” He states Facebook paid him a $44,625 ‘bug bounty’ for its role in this vulnerability. Facebook has subsequently patched the vulnerability from their side. I have contacted Google for a response on the role of Google OAuth in the exploit and will update this post when/if I receive a reply.
Commenting on Sammouda’s findings, security provider Malwarebytes Labs issued a warning to anyone using linked accounts: “Linked accounts were invented to make logging in easier,” writes Pieter Arntz, the company’s Malware Intelligence Researcher. “You can use one account to log in to other apps, sites and services… All you need to do to access the account is confirm that the account is yours.”
“We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised,” he explains.
For those concerned about the security of linked accounts, note it is possible to unlink them from Facebook. Navigate to: Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles. A similar unlinking process can be used on other third-party sites if you are currently signing into them using Amazon/Google/Microsoft/Twitter credentials.
All of which raises a serious convenience Vs security headache. After all, it may have been Gmail credentials this time but it could be other OAuth partners next. Whatever your decision, you have been warned.
Follow Gordon on Facebook
More On Forbes