Have you ever used the “Log in with Facebook” or “Log in with Google” button on a website? If so, you’ve used OAuth. OAuth is a popular way for websites and apps to let users log in without having to create a separate account.
Recently, researchers found a security flaw in OAuth that could allow attackers to steal your personal information or even take over your account. This flaw is called “pass-the-token.”
In a pass-the-token attack, an attacker steals an OAuth token from one website and uses it to log into another website. For example, if you’re logged into a website called “Booking.com” and the attacker steals your secret OAuth token from that website, they could use it to log into your Grammarly account or other accounts that also use OAuth technology.
This flaw was recently found on three popular websites: Vidio, Bukalapak, and Grammarly. All three websites have fixed the flaw, but the security research firm that discovered the flaw believe that thousands of other websites may be vulnerable to the same attack, potentially jeopardizing billions of internet users daily.
How to protect yourself
There are a few things you can do to protect yourself from pass-the-token attacks:
- Be careful about websites that offer a “Log in with Facebook” or “Log in with Google” button. If you use this regularly across the Internet, and the underlying technology, OAuth, is compromised, every site where you’ve selected that option is at risk.
- Although less convenient, the better option is to create a separate username and unique password for each site, and use a password manager to help you keep track of your passwords.
- Enable two-factor authentication on all your accounts. This will make it more difficult for attackers to log into your accounts, even if they have your password.
What is OAuth?
OAuth is a standard for authorization. It allows users to authorize one app or website to access their data on another app or website. For example, if you’re logged into Facebook and you want to share a photo from Facebook on Twitter, you can use OAuth to authorize Twitter to access your Facebook photos.
OAuth is a very popular standard, and it’s used by many of the websites and apps that you use every day. However, it’s important to be aware of the security risks associated with OAuth.
What is a pass-the-token attack?
In a pass-the-token attack, an attacker steals an OAuth token from one website and uses it to log into another website. This is possible because OAuth tokens are often sent in plain text, and they can be easily intercepted by attackers.
How can I prevent pass-the-token attacks?
The best way to prevent pass-the-token attacks is to only log into websites with Facebook or Google that you trust. Additionally, you should use a password manager to help you keep track of your passwords and tokens. Finally, you should enable two-factor authentication on all of your accounts.
What should I do if I think my account has been compromised?
If you think your account has been compromised, you should immediately change your password and enable two-factor authentication. You should also contact the website or app that you think has been compromised to report the incident.