Third-party login services like those offered by Google or Facebook are commonly used on websites and services to secure the login flow and streamline the registration process. While this helps validate that the user has the appropriate credentials for the third-party account, it doesn’t ensure that the session or the user itself is legitimate.
Some of the largest services on the Web have dropped their safety checks for the third-party login flow, and malware has taken advantage of exactly that by hijacking validated users’ Facebook or Google sessions to create accounts on other sites and abuse the service without the actual user knowing it. Even when multifactor authentication is applied (for instance on Google), if the user is logged in, malware running on his computer can use the credentials without any additional validation or approval from the user.
To avoid such automation attacks, a responsible implementation will perform security checks on the user even when logged in through a “trusted” third-party login, especially on critical flows like account creation. Ido Safruti and Tomer Cohen explore the details behind some of the attacks performed by a malware distribution network of browser extensions that opened hidden browser connections to create accounts on some of the world’s largest services and used these accounts to control and distribute the malware further, making the services active participants in the distribution of malware and exposing them further. Ido and Tom share a set of principles and recommendations for safer implementations of third-party logins and demonstrate how to avoid being targeted by attacks that can threaten your users and your service’s reputation.
Ido Safruti is the cofounder and CTO at PerimeterX, which is building a behavior-based web security service. Previously, Ido headed a product group in Akamai focusing on web performance and scalability. Ido joined Akamai through the acquisition of Cotendo, where he led product and strategy. His earlier roles include GM in charge of product engineering and operation, R&D manager, chief scientist, and head of engineering at various companies and the Israeli intelligence, where he focused on high-capacity, large-scale web and network services and cybersecurity systems.
Tomer Cohen leads the team at Wix.com responsible for all R&D and production systems security. Previously, Tomer worked as an application security expert at Comsec Consulting, a cyber security consulting agency. Tomer was also one of the founders of the Magshimim cyber training program, which trains high-school students in Israel in cyber security.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org