Mohit Bagga and Tajinder Pal Singh Chahal of CodeBibber recently stumbled upon a security breach in Facebook login protocol that websites are using for authenticating the user, which can expose your data on multiple platforms.
Their findings are documented below
While researching for our new venture TOTUM, we hacked around facebook login, looking for alternate login methods. This is when we discovered a major security breach, which can compromise your data across multiple platforms.
In simple words, whenever you choose the “Login Through Facebook” option on any website or mobile app, you expose every other account where you ‘logged in through Facebook’ including Uber, Snapdeal, Zomato and Foodpanda among the rest.
HOW FACEBOOK LOGIN WORKS
Let’s say you login to app X via Facebook. X will receive an access token from Facebook and will send it to X’s server and save it.
But now X can use this same access token to login to any and every other platform impersonating you and access your data ranging from your recent orders on Zomato or your purchase history from Snapdeal to getting access to your private messages and the list goes on.
We tested out this security breach on our TOTUM app’s test run and to our amazement, by using a single access token that we received from Facebook, we were able to access the entire account history of that user on a series of big players like Zomato, Foodpanda, Snapdeal etc.
Our EVIL PLAN
We initially thought of creating a chrome plugin that can inspect the web pages before viewing and blur the text where GOT (Game of Thrones) related information is published, so that you do not read spoilers.
Our guess was such a plugin would have received a pretty generous number of user downloads. But this plugin would have been infected with a virus that reads your Facebook access token and scraps user data from different target sites. This would have given us a huge user account base to begin our exploits.
But the genius yet kind souls that we are, we decided instead to post about this breach and alert the unsuspecting net savvy souls who are ever so eager to ‘Login through Facebook’ and save the extra 2 minutes, about the consequences of this simple step.
FOOD FOR THOUGHT
Would you want every online account you ever create to be available for misuse by any random app? Isn’t it scary to think anyone can book rides using your Uber account and pay using your PayTM wallet ?
Facebook has access to all the information about every platform which provides the ‘Login Through Facebook’ option. They can scrap from all the platforms anytime they want.
Until this issue is resolved, your online data is all up for grabs.