Warning would be issued for millions of Google Gmail users

Gmail is the most popular email service in the world, it is also known as one of the most secure. But a dangerous exploit could make you reconsider how you want to use the service in the future.

In a revealing blog post, security researcher Youssef Sammouda revealed that Gmail’s OAuth authentication code allowed him to exploit vulnerabilities in Facebook to hijack Facebook accounts when Gmail credentials are used to log in to the service. And the broader implications of this are significant.

Speaking to The Daily Swing, Sammouda explained that he was able to exploit redirects in Google OAuth and chain them with elements of Facebook’s logout, checkpoint and sandbox systems to access accounts. Google OAuth is part of the ‘Open Authorization’ standard used by Amazon, Microsoft, Twitter and others that allows users to link accounts to third-party sites by logging in with existing usernames and passwords they’ve already registered with these tech giants.

Sammouda does not report vulnerabilities when using other email accounts. He emphasizes that it could potentially be applied more widely “but that was more complicated to develop an exploit.” He claims that Facebook paid him a ‘bug bounty’ of $44,625 for his role in this vulnerability. Subsequently, Facebook fixed the vulnerability on the side of him. I’ve contacted Google for a response on Google OAuth’s role in the exploit and will update this post when I hear back.

Commenting on Sammouda’s findings, security vendor Malwarebytes Labs issued a warning to anyone using linked accounts: “Linked accounts were invented to make logging in easier,” writes Pieter Arntz, a malware intelligence researcher at the company. . “You can use an account to sign in to other apps, sites, and services… All you need to do to access the account is confirm that the account is yours.”

“We wouldn’t recommend it because if someone gets the one password that controls them all, they’re in even bigger trouble than if just one site’s password is compromised,” he explains.

For those concerned about the security of linked accounts, please note that it is possible to unlink them from Facebook. Navigate to: Settings & Privacy > Settings > Account Center button > Accounts & Profiles. A similar opt-out process can be used on other third-party sites if you are currently signing in to them with Amazon/Google/Microsoft/Twitter credentials.

All of which poses a serious headache between comfort and security. After all, it may have been Gmail credentials this time, but it could be other OAuth partners next. Whatever your decision, you have been warned.


Follow Gordon on Facebook

More about Forbes

MORE FROM FORBESGoogle reports (and fixes) 13 new Chrome vulnerabilities

Add Comment