Abusing Google and Facebook login: On the risks in trusting third-party logins
Using social logins is a good way to boost security. However, this often makes site owners complacent, skipping security measures they still need to maintain. Ido Safruti and Tomer Cohen explain how attackers have found ways to exploit this and bypass the auth providers defenses, attacking some of the worlds largest services, and demonstrate how to protect yourself from such attacks.
| Talk Title | Abusing Google and Facebook login: On the risks in trusting third-party logins |
| Speakers | |
| Conference | O’Reilly Security Conference |
| Conf Tag | Build better defenses |
| Location | Amsterdam, Netherlands |
| Date | November 9-11, 2016 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Third-party login services like those offered by Google or Facebook are commonly used on websites and services to secure the login flow and streamline the registration process. While this helps validate that the user has the appropriate credentials for the third-party account, it doesn’t ensure that the session or the user itself is legitimate. Some of the largest services on the Web have dropped their safety checks for the third-party login flow, and malware has taken advantage of exactly that by hijacking validated users’ Facebook or Google sessions to create accounts on other sites and abuse the service without the actual user knowing it. Even when multifactor authentication is applied (for instance on Google), if the user is logged in, malware running on his computer can use the credentials without any additional validation or approval from the user. To avoid such automation attacks, a responsible implementation will perform security checks on the user even when logged in through a “trusted” third-party login, especially on critical flows like account creation. Ido Safruti and Tomer Cohen explore the details behind some of the attacks performed by a malware distribution network of browser extensions that opened hidden browser connections to create accounts on some of the world’s largest services and used these accounts to control and distribute the malware further, making the services active participants in the distribution of malware and exposing them further. Ido and Tom share a set of principles and recommendations for safer implementations of third-party logins and demonstrate how to avoid being targeted by attacks that can threaten your users and your service’s reputation.
