March 7, 2023
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things! |
What is OAuth and why do you care?
Put simply, OAuth is a framework that allows you to log into one site using the credentials of another site. This is the genesis of the "Sign in with Google" and "Sign in with Facebook" buttons you see all over the web.
Why do you care? According to this very interesting article, "Recent studies show that about 90% of the users preferred social login over traditional email registration on websites. "
Why is this a problem? "A security breach in OAuth can lead to identity theft, financial fraud, and access to all sorts of personal information including credit card numbers, private messages, health records, and more."
Say what?!?! Yes, the problem with OAuth is that the security of its use is only as good as the implementation of it by the web developer. The article I mentioned above describes how Salt Labs researchers were able to find three different weaknesses in the implementation of OAuth in booking.com:
For the OAuth issues we found, had a bad actor discovered and successfully exploited them, that attacker could have taken over the accounts of users logging in via Facebook. Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user’s personal information. Our research found that attackers could then use the compromised booking.com login to also log into sister company Kayak.com.
(They disclosed this to booking.com who fixed the problems right away.)
The moral of this story? Don't use one web account to log into a different website. Have unique accounts everywhere you go (or just shop as a guest as much as possible, and limit how many accounts you have).
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.
Have a great week!
Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months
ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺