Why You Should Never Login With Facebook
Mari Sherkin has been happily married for over 25 years, so she was more than a little surprised to learn she had a dating profile on matchmaking service Zoosk.com that she never created. Find out how it happened, and how it could easily happpen to you... |
What is OAuth, and Why Should You Care?
According to Mary, a popup ad on Facebook invited her to take a look at Zoosk. She says she didn’t want to, so she clicked the X in one corner of the ad to close it. But suddenly she was whisked to Zoosk.com’s home page; she wanted none of that, so she closed the browser window. Mere minutes later, she says, emails from Zoosk members began flooding her inbox, expressing interest in her Zoosk profile -- which Mary says she never created.
That profile included her name, Facebook profile picture, and postal code. Mary lives in a small town 2.5 hours from Toronto, and she is understandably concerned about the damage that could be done to her reputation by this apparent evidence of infidelity.
How did Zoosk get the data it needed to create this bogus profile of Mary? The CBC News reporter who chronicled Mary’s plight found a “technology expert (who) points to what is known as an ‘open authentication protocol’ — or OAuth — where people often unwittingly share personal information with third-party websites.”
OAuth (Open Authentication protocol) is what enables you to “sign in with Facebook” or Google or Twitter login credentials on other sites, eliminating the bother of creating and keeping track of new login credentials for multiple sites. Depending on how OAuth is configured, a site may request access to your personal data and the ability to act as if it was you on Facebook, Google, or whatever service you use to save yourself some time and hassle.
A spokesman from Zoosk denies that they automatically create dating profiles based on Facebook data, but their Terms of Service explicitly state that they can. Here's an excerpt from the Terms that spells it out:
"When you have enabled the use of our Services through a Social Networking Site such as Facebook, Google+ or Twitter, you permit Zoosk to access certain information about you ... such as your name, profile picture, network, gender, username, user ID, age range or birthday, language, location, country, interests, contacts list, friends lists or followers and other information. By accessing or using our Services through a Social Networking Site, you are authorizing Zoosk to collect, store, retain and use ... information that Zoosk has obtained from the Social Networking Site, including to create a Zoosk profile page and account for you."
Plenty of Blame to Go Around
It's not clear to me if OAuth played a role in Mary’s victimization. She doesn’t mention clicking on anything that explicitly granted permission to access her Facebook profile or data, as the OAuth protocol requires. Yes, it's possible that she clicked something without reading carefully. But there's a Zoosk Victims facebook page where dozens of others have complained about the same thing happening to them.
Mark Zuckerberg started Facebook by doing exactly what Zoosk seems to be doing. Without asking permission, he pilfered names, copyright-protected photos, and other personal information from his classmates’ profiles on Harvard’s student directory website. So I’m confident that he has no problem with what happened to Mary. If Facebook allows advertisers to hijack its members’ browsers and misdirect them to websites when they try to close ads, then Facebook is aiding and abetting phishers and malware distributors. That would not surprise me, either.
Don’t get me wrong: OAuth is not without its security and privacy hazards. In fact, a very big one was revealed in May, 2014, that confirms my long-standing policy of never using OAuth as a substitute for site-specific usernames and passwords.
The so-called Covert Redirect vulnerability in OAuth was exposed shortly after the Heartbleed bug; a lot of people missed it in the furor generated by Heartbleed. It allows a phisher to display a bogus log-in popup window on a legitimate site, harvest data that the user thinks is going to the legit site, and then redirect the user’s browser to a site of the phisher’s choosing.
Standard precautions don’t work against “Covert Redirect.” In many phishing exploits, the user can tell something is wrong by carefully examining the URL underlying a link or button he’s being asked to click; bad guys often used domains that are subtle misspellings of legitimate domains. But the “Covert Redirect” exploit uses the exact spelling of the legitimate domain, so it’s undetectable by URL inspection. Facebook, Google, Twitter, LinkedIn, and many other major sites are all aware of “Covert Redirect” and doing nothing about it except “monitoring the situation.” The only solution, currently, would be too expensive and labor-intensive to implement.
Avoiding Problems With OAuth
So my advice is to avoid OAuth as much as possible. In practical terms, that means don't log in to a new site using your credentials from another site, such as Facebook, Twitter or Google. Create a new account the old-fashioned way, by choosing a username and password that's specific to that website. Minimize use of apps that employ OAuth. The handy service MyPermissions will identify all apps that you currently have authorized and let you remove those you don’t need.
Your thoughts on this topic are welcome. Post your comment or question below...
|
|
This article was posted by Bob Rankin on 1 Dec 2014
For Fun: Buy Bob a Snickers. |
Prev Article: Meet MICA: Intel's Smart (Looking) Watch |
The Top Twenty |
Next Article: Will Hybrid Phone Service Save You Money? |
There's more reader feedback... See all 35 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Why You Should Never Login With Facebook (Posted: 1 Dec 2014)
Source: https://askbobrankin.com/why_you_should_never_login_with_facebook.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Why You Should Never Login With Facebook"
(See all 35 comments for this article.)Posted by:
SharonH
01 Dec 2014
I am becoming more and more suspicious of Facebook as time goes on. I'm on there mainly because there are some groups that are of interest to me. I have had some excellent conversations with these people. Other than that, I could do without it. But for now I'll remain on, though I did take a hiatus for a while. As always we must be careful about clicking on anything. Great article and one I am going to share with our computer group.
Posted by:
RandiO
01 Dec 2014
I think you have mistakenly hit the nail right on the head, Mr. Rankin! Facebook is the 21st Century means of becoming a legally/socially acceptable peepinTom, where one can snoop on other people freely. I feel sorry for "Mari" Sherkin but the cardinal sin that she committed was to not register to Facebook using your suggestion of an alias; such as "Mary" Sherkin! Frankly (or marily), I may have gone at least one step further and registered using the alias "Mary Cherkin" or sumsuch!
Thank you for yet another great topic/article, Mr. Rob Bankin.
Posted by:
MmeMoxie
01 Dec 2014
I am very aware, of the dangers of Facebook!!! However, how do you get the websites that use Facebook, for comments and mostly, the infamous Like Button ... Not to use Facebook???!!!
I have several political newsletters and most of them, use Facebook for commenting. I prefer Discus, but, not many websites are using Discus these days. Word Press is mostly for Blogging, yet, I can comment on those websites.
Yes, I have a Google+ account, but, just don't use it, never have. I think, I read either on Bob's website or another ... That Google was going to change Google+, to be called something else or just let it die. Now, in all honesty, I may have just dreamt all of this up, too!!! LOL LOL LOL (Just checked, Google+ is in trouble)
As far as I am concerned, I have been highly irritated, with Facebook, for about a year, now. I want to stop using Facebook, but, it is the only way, I can keep in touch, with close family, that live far away.
Posted by:
David Ream
01 Dec 2014
Thanks for a useful and informative article. In light of what you said, I was surprised to see a box next to your article that allows readers to sign in to "AskBobRankin.Com" via Facebook, Twitter or Google+. As the Czar of your own web page, do you have control over OAuth using it as a stepping stone to other sites?
EDITOR'S NOTE: It's just a picture to go along with the article. There's no login at AskBobRankin.com.
Posted by:
Adolf
01 Dec 2014
Virtually all the TV News Services here and many Commerce sites want you to sign in with Facebook and Like their site. If there is no option to bypass Facebook, I do not sign up just to comment. Besides the fact that there are a lot fake comments and hecklers.
Posted by:
Wordwizard
02 Dec 2014
I sign into things with Twitter IF it says it will not post anything in my name. (I've also sometimes signed in with Facebook, 2nd preference, same condition.) I've never been burnt yet, that I know of. Comments?
Posted by:
Joyce Naffier
02 Dec 2014
I would appreciate a further discussion and clarification of this topic.
Posted by:
Marc de Piolenc
02 Dec 2014
It's good to hear some sense on this subject from a recognized authority. I've been fulminating against this kind of linking, and especially against sites that ONLY allow you to sign in with outside credentials (Disqus, for example). They are an ongoing security hazard, but I am usually treated like a tinfoil-hat-wearing crank if I mention it.
Posted by:
Rochelle
02 Dec 2014
I used My Permissions to clear a Google app, and it asked me if, er, I wanted to share it on Facebook or Twitter, neither of which I belong to.
Posted by:
Jaksen
02 Dec 2014
Lots of interesting articles on the Internet, if one signs in to every one which requires a log-in, the inbox would quickly fill to the brim with continued info from each site.
I find best way is to use a disposable address in case more site visits are not required.
SpamGourmet.com has a function to allow the user to dictate how many email messages to accept.
Hasn't failed yet, and used on dozens of newspaper, technical, scientific web sites.
Posted by:
Aryn
02 Dec 2014
I assume MyPermissions is just for mobile devices? At least, I tried to download it to my desktop (Windows 7) and got an error message.
Thanks for your many articles!
Posted by:
Blacksmith
02 Dec 2014
Please excuse me for commenting again but there are so many comments above along the lines of "I must use Facebook to keep in contact with....." Why not try plain old email and/or Skype?
Posted by:
Jim Lewis
02 Dec 2014
I appreciate your information on a daily basis but at times I'm unsure just what you are telling me.
For example, in this article is mentioned this;
"The handy service MyPermissions will identify all apps that you currently have authorized and let you remove those you don’t need".
I clicked "MyPermissions" and found 18 different options that I could click.
How am I to know what to click in order to receive only the info you mentioned? Having multiple choices with no ideal which one I'm after causes me to choose none.
EDITOR'S NOTE: What do you mean when you say you "clicked MyPermissions"? If you visit MyPermissions.com you'll find the desktop and mobile versions of the program.
Posted by:
Zahbuk
03 Dec 2014
Good thing the Facebook account I use to sign in to sites is not real. FB is not a problem if you take the time to lock it down.
Facebook is the best for staying abreast of what is going on in your friends and families lives. It's like having that gossiping aunt that tells you what your cousins and other family have been up to. There's no way you could/would take the time to email or Skype the 100's of people you know.
Who only has 1 email address? Everyone should have AT LEAST 3 email addresses.
1 for professional
1 for friends and family
1 for spam. I find Hotmail is great for signing up for stuff.
I don't get spam from anywhere. And I sign up for EVERYTHING.
Posted by:
David Ream
03 Dec 2014
Thanks for a useful and informative article. In light of what you said, I was surprised to see a box next to your article that allows readers to sign in to "AskBobRankin.Com" via Facebook, Twitter or Google+. As the Czar of your own web page, do you have control over OAuth using it as a stepping stone to other sites?
EDITOR'S NOTE: As I mentioned on Monday (when you posted the same comment) it's just a picture to go along with the article. There's no login at AskBobRankin.com. I thought that emblazoning the word SAMPLE on the image would dispel any further confusion.
Posted by:
Greg Burgess
13 Dec 2014
I have another curly one and don't know how to fix. Someone is impersonating me, using my email address as well as my Facebook picture. I don't know who the emails are going to, but I am receiving them as well. (My picture and also sent from my email address), but not sent by me.
This person is marketing and sending people to sales links. I did email one link and asked who was the person who was the affiliate. Never received a reply.
I hope someone has an answer.
Posted by:
ixtis
14 Dec 2014
People seem to worry about keeping in touch with family/friends if they get rid of FB why not use Skype as I have since its inception?
EDITOR'S NOTE: Because Skype isn't a social network. It doesn't help you find friends with whom you have lost contact for 20-30 years. It doesn't let you share news and photos with a group. Facebook does those things well.
Posted by:
Dr Ryan James
15 Dec 2014
I used My Permissions on my Win7 with great results, so I am not sure why some had a error message.
It was rather disturbing to see how many programs and services I had used various services like FB and Gmail to tap into only for have stopped using them and forgotten about them. Thankfully with My Permissions, it raised a red flag for me to be more vigilant.
Thanks Bob!
Posted by:
AlanM
15 Dec 2014
It's ALL about the MONEY.!!
Just about everywhere you go on the internet now is laced with tons of adware.
I hate those little video ads that automaticaly run with no option to pause or stop them.
Every once in a while you'll find one that gives you an option to close it. If you do it brings up an add from the webpage stating that adds are required for the operation of that network. If you want to view the page without adds you must purchase a subscription or "donate" x-amount to the website.
Even PC Pitstop is loaded with adds. Some of which come in the middle of articles and can look like a link to additional info from the article.
Now, I know that, adds are needed to keep free things free. Sometimes this use leads to abuse.
Take network TV...
A 30 minute program is maybe 15 - 20 minutes of program and 10 - 20 minutes of adds. If you have cable or satelite TV you STILL have the adds and pay extra to get them. Then you have the PREMIUM cable stations like HBO, SHOWTIME, CINIMAX, STARZ etc. That run their own adds and such for promotion, and will have the adds streaming across the screen in such a way that the movie basicaly becomes unviewable as IT becomes unwatchable due to the large writing across the middle of the screen. Now that should be called criminal behavior.
We now live in a society where ONLY advertisers have rights. The general public only haas the right to NOT turn on their computer or TV set.
Posted by:
Mark Roehrich
17 Dec 2014
I tried to share this article on facebook as a warning, since it has happened to me with Farmers Only. But to share it they wanted me to Login with Facebook. I won't make that mistake again.
EDITOR'S NOTE: You don't have to use the ShareThis widget. Copy the article address, and paste it directly to your Facebook page.