0

I got an email from at least one site saying they use Cloudflare and due to the recently discovered leak they're recommending I change my password on their site.

But I don't have a password on their site, I use the "Log in with Facebook" option.

Do I need to reset my Facebook password, or take any other action on Facebook to ensure that leaked data cannot be used to access any of my accounts? If I need to take some other action, what is it and how do I do it?

ShadSterling
  • 190
  • 6
  • @SteffenUllrich I assume you're referring to where it says "If a Cloudflare-dependent site uses Oauth, you should make an extra step resetting your oauth dependent sessions across the web." Does Facebook offer a way to do that? Does resetting my Facebook password also reset "Log in with Facebook" sessions on other sites? – ShadSterling Mar 01 '17 at 15:28
  • Accordings to http://stackoverflow.com/questions/18587557/facebook-access-token-invalidation-upon-password-change-and-how-pinterest-gets-n password change should invalidate the Oauth token – Steffen Ullrich Mar 01 '17 at 15:33
  • @SteffenUllrich, I don't find an opinion expressed in a question from almost 5 years ago very compelling. I'd welcome a link to a current official Facebook page where they document that behavior. – ShadSterling Mar 02 '17 at 02:53
  • I wonder if it would be enough to just log out and back in to each affected site – ShadSterling Mar 02 '17 at 02:54

2 Answers2

2

When logging in with Facebook your password is only sent to Facebook and not to the web site where you log in. The site where you want to log in asks Facebook who you are, and Facebook provides the site with some information and a secret token. Anyone who has this token can impersonate you on the site.

So your Facebook password has not been leaked, but your token may have been. To revoke the token, you can revoke the access the application has from within Facebook.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • Revoking access sounds like it will make logging in with Facebook no longer work on that site, which is not what I want. If tokens may have been compromised I want to force sites to get new tokens but preserve everything else. – ShadSterling Mar 02 '17 at 02:33
1

I'm not positive but I would think that you're okay without changing your password for a couple of reasons.

  • I have seen no indication, reports or advisories that logging in via the Facebook API has compromised anyone's user accounts
  • Facebook's security is highly regarded and if a risk was present I would imagine they would pro-actively revoke authentication / session tokens used
  • The API the website uses to authenticate w/ Facebook likely does not sit behind Cloudflare, though this is impossible to know without knowing what web service you're referring to
  • An extremely small percentage (0.00003%) of requests were thought to have been leaked

With that said it's never a bad idea to change your password if there's even the possibility it was compromised to avoid future headaches.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47