Serious Warning Issued For Millions Of Google Gmail Users – Forbes
A dangerous exploit in Gmail’s OAuth authentication code enabled security researcher Youssef Sammouda to hijack Facebook accounts when Gmail credentials were used to sign in to the service.
Google OAuth is part of the ‘Open Authorization‘ standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants.
Sammouda was able to exploit redirects in Google OAuth and chain it with elements of Facebook’s logout, checkpoint and sandbox systems to break into accounts. He received a $44,625 bug bounty from Facebook for his work.
Security provider Malwarebytes Labs warns against using linked accounts, saying that if one account is compromised, you’re in even bigger trouble than if only one site’s password is compromised.
Facebook allows users to link their accounts with third-party sites, but this can cause security issues. Unlinking your accounts may be a good idea.
To do so login to google.com and navigate to: Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles.
For more on this story please visit these sources: