Serious Warning Issued For Millions Of Google Gmail Users

Consumer Tech Editors’ Pick Serious Warning Issued For Millions Of Google Gmail Users Gordon Kelly Senior Contributor Opinions expressed by Forbes Contributors are their own. I write about technology’s biggest companies May 21, 2022, 05:23am EDT | Share to Facebook Share to Twitter Share to Linkedin Gmail is the world’s most popular email service, it is also known as one of the most secure. But a dangerous exploit might make you rethink how you want to use the service in future. In an eye-opening blog post , security researcher Youssef Sammouda has revealed that flaws in Gmail’s authentication code enabled him to exploit vulnerabilities in Facebook to hijack accounts when Gmail credentials are used to sign in to the service. And the wider implications are significant. Gmail has been SOPA Images/LightRocket via Getty Images Speaking to The Daily Swing , Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook’s logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the ‘ Open Authorization ‘ standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants. Sammouda warned that the exploit could have been used far more widely and confirmed that he was paid a $44,625 ‘bug bounty’ by Facebook this month for his discovery. Facebook has subsequently patched the vulnerability from their side. I have contacted Google for a response on the role of Google OAuth in the exploit and will update this post when/if I receive a reply. Commenting on Sammouda’s findings, security provider Malwarebytes Labs issued a warning to anyone using linked accounts: “Linked accounts were invented to make logging in easier,” writes Pieter Arntz, the company’s Malware Intelligence Researcher. “You can use one account to log in to other apps, sites and services… All you need to do to access the account is confirm that the account is yours.” MORE FOR YOU Google Issues Warning For 2 Billion Chrome Users Forget The MacBook Pro, Apple Has Bigger Plans Google Discounts Pixel 6, Nest & Pixel Buds In Limited-Time Sale Event “We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised,” he explains. If this news makes you uncomfortable, note it is possible to unlink accounts, including Google OAuth, from Facebook. Navigate to: Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles . A similar unlinking process can be used on other third-party sites where you already sign in using Amazon/Google/Microsoft/Twitter credentials. All of which gives everyday users a serious convenience Vs security headache. After all, it may have been Gmail credentials this time, it could be other OAuth partners next. Whatever your decision, you have been warned. ___ Follow Gordon on Facebook More On Forbes MORE FROM FORBES Google Reports (And Fixes) 13 New Chrome Vulnerabilities By Gordon Kelly Gordon Kelly Editorial Standards Print Reprints & Permissions