- TikTok users jokingly wear big hats to sneak snacks into movie theaters 6 Years Ago
- Why today’s new facially recognition bill is being called ‘woefully’ inadequate Today 3:15 PM
- Facebook has given more user data to the government than ever before Today 2:57 PM
- Instagram included in Facebook transparency report for the first time Today 1:46 PM
- PayPal pulls out of Pornhub, leaving sex workers to consider cryptocurrency Today 1:46 PM
- Billionaires are resorting to making racist jokes against Warren now Today 1:30 PM
- What is the meme of the decade? Today 1:07 PM
- At least 5 employees resign from GitHub, citing ICE contract Today 12:57 PM
- The ‘Sonic the Hedgehog’ redesign was led by a ‘Sonic’ artist Today 12:17 PM
- The 16-inch MacBook Pro is a beast, and it has a decent keyboard Today 11:24 AM
- This group is scanning thousands of faces in Congress today to protest facial recognition Today 11:09 AM
- Why is everyone debating Pete Buttigieg’s Medicare for All stance? Today 10:47 AM
- The Motorola Razr is a foldable homage to millennial nostalgia Today 10:22 AM
- The ‘I’m baby’ meme gets much more literal on TikTok Today 10:20 AM
- MrDeadMoth avoids jail time for assaulting pregnant partner during live stream Today 9:21 AM
Your data is at risk every time you log in via Facebook or Twitter
Be careful the next time you login to a site via your Facebook or Twitter account.
A Singaporean Ph.D student has discovered a major bug in two of the most common login tools on the Internet. Attackers can use the flaw to steal data from your accounts for websites like Google, Facebook, Paypal, LinkedIn, and more.
OpenID and OAuth 2.0 are designed to make logging in easy. Instead of entering a username and password, these tools allow you to simply log in via third party websites using, for instance, a Facebook or Twitter account. Many of the most popular websites online use these tools.
Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, went public earlier today with his discovery of a serious “Covert Redirect” flaw in both OpenID and OAuth that can send personal data to a phishing site masquerading as a trustworthy login popup. You could be sending your email address, contact lists, birthday, and more to the attacker, who might then send you along to a phishing website to steal even more sensitive data from you.
Since Wang has gone public, numerous others have corroborated his claims. Fixing the problem is “easier said than done,” said Wang, so users are advised to extremely careful logging into third party sites using Twitter, Facebook, and Google accounts until further notice.
H/T CNet | Illustration by Jason Reed
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.