Gmail is the most popular email service in the world and is also known to be the most secure. However, dangerous exploits can make you rethink how you want to use the service in the future.
where your eyes are shining blog post, security researcher Youssef Sammouda said a flaw in the Gmail authentication code could allow accounts to be hijacked by exploiting a vulnerability in Facebook when logging into services using Gmail credentials. And the broader meaning is important.
Gmail is
SOPA Images/LightRocket via Getty Images
speaking daily swing, Sammouda explained that Google OAuth could exploit redirects to break into accounts by linking them with elements of Facebook’s logout, checkpoint and sandbox system. Google OAuth is ‘public approval‘ A standard used by Amazon, Microsoft, Twitter, and others that allows users to link their accounts to third-party sites by logging in with an existing username and password that has already been registered with these tech giants.
Sammouda has warned that the exploit could be used much more widely, and confirmed that he has received a $44,625 ‘bug bounty’ from Facebook this month. Facebook has since patched their vulnerabilities. We have contacted Google to respond to the role of Google OAuth in the exploit and will update this post when we receive a reply.
Commentary on Sammouda’s findings, Security Provider Malwarebytes Labs “Linked accounts were invented to make logging in easier,” Pieter Arntz, the company’s Malware Intelligence Researcher, warned anyone using. “You can use one account to log in to other apps, sites and services… To access your account, you just need to verify that it’s yours.”
“I don’t recommend having someone with one password that controls all your passwords,” he explains, as he faces a much bigger problem than having only one site’s passwords compromised.
If you are unhappy with this news, you can unlink your account from Facebook, including Google OAuth. move to: Settings & Privacy > Settings > Account Center Button > Accounts & Profiles. A similar disconnection process can be used with other third-party sites that have already signed in using their Amazon/Google/Microsoft/Twitter credentials.
All this brings serious convenience and security headaches to everyday users. After all, this time it could be your Gmail credentials and next time it could be another OAuth partner. Whatever decision you make, you get a warning.
___
Gordon Follow Facebook
More about Forbes
.