Skip to main content

3rd Party Sign-in with Facebook or Google May Have Security Flaw

By November 25, 2016May 25th, 2021Blog, Cybersecurity

3rdxpartyIf you own your own business, then odds are good that you’ve taken advantage of the “Sign in With Facebook” (or Google) API. It’s fast, it’s convenient and it’s one less thing to worry about.

It gives your users an automatic way to sign onto your site, meaning that they don’t have yet another password to keep track of. That’s win-win, right?

It would be, except for the fact that the technology is often misused or incorrectly applied, leaving the door open for the hackers, and making it easy to intercept password information. If that happens, the convenience of using Facebook or Google’s sign-in API works against you.

Security professionals have been shouting from the mountain tops for months about how dangerous it is to use the same password across multiple accounts. While it takes on a slightly different form, that’s exactly what a Google/Facebook sign in is, and once the hackers have your Facebook password, they can get into a number of other sites you use.

The attack is accomplished via a “man in the middle” approach that allows hackers to sign into a victim’s app using their own credentials.

Once logged in, the hackers can make use of any site the user logs onto via Facebook or Google. If you’ve linked your banking information to those sites, then the hackers will have access to those accounts. They can go shopping, book a vacation and basically do anything you would normally do when you sign onto those sites legitimately.

In a recent survey of the top 600 US and Chinese mobile aps, it was found that more than 40% (41.2%) can easily be compromised in just this fashion.

The level of exposure is staggering. This could impact more than a billion mobile devices, worldwide.

If you make use of Facebook and/or Google’s sign-in API in the conduct of your business, it’s time to do a review. You may be putting your clients at risk without realizing it.

Chris Forte

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.

Leave a Reply