Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less obvious commercial implementations where a single organisation entry point is used to access many distinct services.  Users of such corporate systems may not realise that they are taking advantage of SSO as differing systems may all share the same branding and all the details are sorted by their system admin.  In every case it is the initial sign on that is validated by the account issuer.  On success a token is passed to the intended destination allowing access.  The linked accounts do not store or even receive the password but they will rely on the same user name.

The obvious selling point is that an individual can access several websites or services using a single existing account.  The owner does not need to create a new name and password combination. This avoids the temptation to reuse the same or a similar password across several systems plus the new account can be immediately populated with relevant information from the validating account although in most cases that function will be restricted.

The individual does not have full control over what is passed over after a new SSO account is created.   Such information should be divulged before the initial sign up.  On Reddit for example the user needs to navigate to ‘User Agreement’ and then ‘Reddit Privacy Policy’ although none of these steps are required to create an account.

The originating password is not transferred and the only information passed across as a default by Google is name, email address and profile picture.  Other information could however be shared if permitted on signing up, including data within emails, contacts and personal photos.  Anyone should consider how this information is essential to a service before signing up.  Once access has been granted it is the terms and conditions belonging to the 3rd party that apply concerning how any data might be subsequently passed on.  If a 3rd party were to be compromised or if it were a wholly fraudulent operation it could harvest the data that Google had allowed it access to without restriction. Google does allow linked apps and services to be viewed and services disconnected but the account owner needs to log in to Google and do so.  It is good practice to remove accounts or services that are unlikely to be needed again but any such action cannot undo any wider data disclosure that has already occurred.

By default the Facebook SSO login engine will pass across the user email and public profile.  Additional information can be provided although such requests can be reviewed by Meta.  The public profile itself includes name, gender, username and user ID (account number), profile picture, and cover photo.  As with Google it should be possible to remove access from accounts that had previously been created through SSO.  It is also possible to remove the SSO functionality from the Facebook end so preventing its use should an unauthorised individual gain access to the account.

In both cases the default data transferred is relatively harmless with Google being the more restrictive portal.  Any new linked account would almost certainly need more information to be of any benefit to the user and the body running it.  Either such an account will ask on creation for access to more personal data or the user will need to enter it manually.  There is unlikely to be any benefit from reducing repeated data entry into a new account.

The transfer and possible subsequent display of the Google or Facebook user name on another service is a genuine worry as it builds up a data trail linked to an individual entity that can later be analysed and exploited by fraudsters.

Another trade-off is between theoretically strong security within engines such as Facebook and Google against the larger degree of damage should access to such an account be compromised.  Any security that depends on the user inputting some type of access credential will always be vulnerable to social engineering attacks; which can sometimes be frighteningly convincing.  Accounts such as Facebook and Google are usually set to keep the user logged in.  They will however ask for the password in some cases (exposing it to keylogger or man-in-the-middle attacks) and will send alerts to backup emails.  This is all designed to prevent accounts being taken over but if a password and access to linked email accounts has somehow been lost then recovery of the original account might prove impossible.  This is turn would lose access to all other linked accounts.

A simple solution is to have more than one Google or Facebook account.  Treating one account as home and another as work or hobby or simply less crucial.  Use the lesser account where security or leaving a data trail might be less important.  This can be used for throwaway 3rd party accounts which require a sign on but very little other information or for discussion boards to anonymise any contributions.

More from Security

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories