Implementation flaws in the popular Open Authorization (OAuth) standard across three well-known online services could have exposed hundreds of millions of user accounts on dozens of websites to cybercriminal activities such as credential theft and financial fraud. OAuth is a widely used standard that enables cross-platform authentication, commonly recognized as the option to log in to an online site using a social media account such as "Log in with Facebook" or "Log in with Google." If you ever used this feature, you were most likely presented with pop-up windows that offered you to log in directly to your social platform. The originating site does not store your username and password or even know it. But once the social media site authenticates you, a secret token is created and stored by the site. That secret is what is used for verification.
There is nothing wrong with the OAuth standard. Still, the onus is on the company to develop the site and use the standard to create a frictionless experience for you - the user. It ranges from secure storage and safeguarding of the secret to proper verification and validation.
According to researchers from security firm Salt, three well-known online service providers did not validate the secret, allowing attackers to reuse it and gain access to multiple accounts. Although the affected companies have taken measures to address the issue, the damage has already been done. Using OAuth always poses a risk, as hackers can use the credentials obtained from one website to access your accounts on numerous other websites. This could allow them to access sensitive information, perform actions like credit card transactions on your behalf, and cause significant harm.
Keep your destiny in your own hands - set up one complex password per site. Don't delegate the safety of your precious password to the vendor just for convenience.
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------