Late last week, it was reported that a flaw in an online security technology could likely expose social media users personal information to malicious actors.
Jodi Mardesich of ReadWrite, comments, “It’s not the next Heartbleed, but a security flaw in social-login services gives you one more thing to watch out for in apps and on the Web.” Mardesich explains the issue by saying, “the vulnerability stems from a flaw in OAuth 2.0 and OpenID technology that lets you use your login from Facebook, Google, or Amazon (among others) to access other sites and services. Because of the flaw, an attacker can trick a user into thinking he or she is signing in via Facebook or Google and then redirect them to a malicious website. From there, depending on the level of access granted, it can expose your personal information, your contacts, your friends list, or in the case of Google Apps, stored data.” These different social logins offer connectivity to various services quickly and conveniently, but this shortcut in security comes with a price.
While this vulnerability exposes the potential actions of a malicious actor, it also sheds light on the security weaknesses in development and integration with social media sites. Mardesich expands on these weaknesses with this example: “Facebook, for instance, recommends developers use a whitelist that would effectively close the OAuth loophole by limiting redirections to safe and secure URLs. But Facebook doesn’t require a whitelist, and as a result, many developers don’t use one.”
What actions do social media sites need to take to improve security in development and prevent issues like this vulnerability? What precautions should individuals take to ensure the security of their information? Let us know what you think on Twitter and Facebook, and be sure to check out our Tumblr for the latest industry news stories.