Gmail is the world’s most popular email service, it is also known as one of the most secure. But a dangerous exploit might make you rethink how you want to use the service in future.
In an eye-opening blog post, security researcher Youssef Sammouda has revealed that flaws in Gmail’s authentication code enabled him to exploit vulnerabilities in Facebook to hijack accounts when Gmail credentials are used to sign in to the service. And the wider implications are significant.
Speaking to The Daily Swing, Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook’s logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the ‘Open Authorization‘ standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants.
Sammouda warned that the exploit could have been used far more widely and confirmed that he was paid a $44,625 ‘bug bounty’ by Facebook this month for his discovery. Facebook has subsequently patched the vulnerability from their side. I have contacted Google for a response on the role of Google OAuth in the exploit and will update this post when/if I receive a reply.
Commenting on Sammouda’s findings, security provider Malwarebytes Labs issued a warning to anyone using linked accounts: “Linked accounts were invented to make logging in easier,” writes Pieter Arntz, the company’s Malware Intelligence Researcher. “You can use one account to log in to other apps, sites and services… All you need to do to access the account is confirm that the account is yours.”
“We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised,” he explains.
If this news makes you uncomfortable, note it is possible to unlink accounts, including Google OAuth, from Facebook. Navigate to: Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles. A similar unlinking process can be used on other third-party sites where you already sign in using Amazon/Google/Microsoft/Twitter credentials.
All of which gives everyday users a serious convenience Vs security headache. After all, it may have been Gmail credentials this time, it could be other OAuth partners next. Whatever your decision, you have been warned.
Follow Gordon on Facebook
More On Forbes