Serious warning issued for millions of Google Gmail users

Gmail is the most popular email service in the world, it is also known as one of the most secure. But one dangerous exploit might make you rethink how you want to use the service in the future.

In a revelation blog post, security researcher Youssef Sammouda has revealed that flaws in Gmail’s authentication code allow it to exploit vulnerabilities in Facebook to hijack accounts when Gmail credentials are used to log into the service. And the wider implications are important.

Talk to The daily swing, Sammouda explained that he was able to exploit redirects in Google OAuth and chain them together with elements of Facebook’s logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the ‘Open authorization‘ standard used by Amazon, Microsoft, Twitter and others that allows users to link accounts to third-party sites by logging into them with existing usernames and passwords that they have already registered with those tech giants.

Sammouda warned that the exploit could have been used much more widely and confirmed that he was awarded a $44,625 “bug bounty” by Facebook this month for its discovery. Facebook then patched the vulnerability on their end. I have contacted Google for a response on Google OAuth’s role in the exploit and will update this post when/if I receive a response.

Commenting on the findings of Sammouda, security provider Malwarebytes Laboratories issued a warning to anyone using linked accounts: “Linked accounts were invented to make logging in easier,” writes Pieter Arntz, the company’s Malware Intelligence Researcher. “You can use an account to sign in to other apps, sites, and services… All you have to do to access the account is confirm that the account is yours.”

“We wouldn’t recommend it, because if someone gets the one password that controls them all, you’ll be in even more trouble than if a single site’s password were compromised,” he explains.

If this news makes you uncomfortable, note that it is possible to unlink accounts, including Google OAuth, from Facebook. Move towards: Settings & Privacy > Settings > Account Center button > Accounts & Profiles. A similar unlinking process may be used on other third-party sites where you already log in using Amazon/Google/Microsoft/Twitter credentials.

All of this gives everyday users a serious headache of convenience versus security. After all, it might be Gmail credentials this time, it might be other OAuth partners next. Whatever your decision, you have been warned.


Follow Gordon on Facebook

Learn more about Forbes

MORE FORBESGoogle reports (and fixes) 13 new Chrome vulnerabilities

Comments are closed.