Why You Should Never Login With Facebook
Mari Sherkin has been happily married for over 25 years, so she was more than a little surprised to learn she had a dating profile on matchmaking service Zoosk.com that she never created. Find out how it happened, and how it could easily happpen to you...
What is OAuth, and Why Should You Care?
According to Mary, a popup ad on Facebook invited her to take a look at Zoosk. She says she didn’t want to, so she clicked the X in one corner of the ad to close it. But suddenly she was whisked to Zoosk.com’s home page; she wanted none of that, so she closed the browser window. Mere minutes later, she says, emails from Zoosk members began flooding her inbox, expressing interest in her Zoosk profile -- which Mary says she never created.
That profile included her name, Facebook profile picture, and postal code. Mary lives in a small town 2.5 hours from Toronto, and she is understandably concerned about the damage that could be done to her reputation by this apparent evidence of infidelity.
How did Zoosk get the data it needed to create this bogus profile of Mary? The CBC News reporter who chronicled Mary’s plight found a “technology expert (who) points to what is known as an ‘open authentication protocol’ — or OAuth — where people often unwittingly share personal information with third-party websites.”
OAuth (Open Authentication protocol) is what enables you to “sign in with Facebook” or Google or Twitter login credentials on other sites, eliminating the bother of creating and keeping track of new login credentials for multiple sites. Depending on how OAuth is configured, a site may request access to your personal data and the ability to act as if it was you on Facebook, Google, or whatever service you use to save yourself some time and hassle.
A spokesman from Zoosk denies that they automatically create dating profiles based on Facebook data, but their Terms of Service explicitly state that they can. Here's an excerpt from the Terms that spells it out:
"When you have enabled the use of our Services through a Social Networking Site such as Facebook, Google+ or Twitter, you permit Zoosk to access certain information about you ... such as your name, profile picture, network, gender, username, user ID, age range or birthday, language, location, country, interests, contacts list, friends lists or followers and other information. By accessing or using our Services through a Social Networking Site, you are authorizing Zoosk to collect, store, retain and use ... information that Zoosk has obtained from the Social Networking Site, including to create a Zoosk profile page and account for you."
Plenty of Blame to Go Around
It's not clear to me if OAuth played a role in Mary’s victimization. She doesn’t mention clicking on anything that explicitly granted permission to access her Facebook profile or data, as the OAuth protocol requires. Yes, it's possible that she clicked something without reading carefully. But there's a Zoosk Victims facebook page where dozens of others have complained about the same thing happening to them.
Mark Zuckerberg started Facebook by doing exactly what Zoosk seems to be doing. Without asking permission, he pilfered names, copyright-protected photos, and other personal information from his classmates’ profiles on Harvard’s student directory website. So I’m confident that he has no problem with what happened to Mary. If Facebook allows advertisers to hijack its members’ browsers and misdirect them to websites when they try to close ads, then Facebook is aiding and abetting phishers and malware distributors. That would not surprise me, either.
Don’t get me wrong: OAuth is not without its security and privacy hazards. In fact, a very big one was revealed in May, 2014, that confirms my long-standing policy of never using OAuth as a substitute for site-specific usernames and passwords.
The so-called Covert Redirect vulnerability in OAuth was exposed shortly after the Heartbleed bug; a lot of people missed it in the furor generated by Heartbleed. It allows a phisher to display a bogus log-in popup window on a legitimate site, harvest data that the user thinks is going to the legit site, and then redirect the user’s browser to a site of the phisher’s choosing.
Standard precautions don’t work against “Covert Redirect.” In many phishing exploits, the user can tell something is wrong by carefully examining the URL underlying a link or button he’s being asked to click; bad guys often used domains that are subtle misspellings of legitimate domains. But the “Covert Redirect” exploit uses the exact spelling of the legitimate domain, so it’s undetectable by URL inspection. Facebook, Google, Twitter, LinkedIn, and many other major sites are all aware of “Covert Redirect” and doing nothing about it except “monitoring the situation.” The only solution, currently, would be too expensive and labor-intensive to implement.
Avoiding Problems With OAuth
So my advice is to avoid OAuth as much as possible. In practical terms, that means don't log in to a new site using your credentials from another site, such as Facebook, Twitter or Google. Create a new account the old-fashioned way, by choosing a username and password that's specific to that website. Minimize use of apps that employ OAuth. The handy service MyPermissions will identify all apps that you currently have authorized and let you remove those you don’t need.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 1 Dec 2014
|For Fun: Buy Bob a Snickers.|
Meet MICA: Intel's Smart (Looking) Watch
The Top Twenty
Will Hybrid Phone Service Save You Money?
There's more reader feedback... See all 35 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Why You Should Never Login With Facebook (Posted: 1 Dec 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved