5

With all the coverage of Cambridge Analytica scandal, it seems like this wasn't a data breach or hack, it was just that Cambridge Analytica did not properly disclose how they would use the data.

Is signing into a website using an OAuth2 service like Facebook or Google a potential privacy concern now?

I always thought that OAuth2 only provided a token to the website but it seems like there is actually much more information that is given.

  • What data does the OAuth2 provider provide to the website?
  • What data does the OAuth2 provider get from the website? Is Facebook or Google basically able to track all your activity on the website?
korrigan
  • 400
  • 2
  • 12
stickman
  • 1,550
  • 3
  • 13
  • 16

1 Answers1

4

OAuth2 is not intrinscally a security risk for an end-user, i.e. the person authenticating on a third-party service using their Google or Facebook account (for example).

OAuth2 works in scopes, which define the nature and amount of data the third-party service will end up having access to.

You will probably be familiar with this kind of screen (source):

OAuth2 consent screen example from the google developers documentation website

A well-designed OAuth2 implementation will clearly express the various bits of information that will be disclosed to the third-party service.

However, this really depends on the OAuth2 provider's apt definition of scopes. There are no standard scopes, so they vary from provider to provider, as shown in this scopes-by-provider list.

Therefore the "outside risk" lies in your choice of OAuth2 provider. It is possible to implement OAuth2 in a totally insecure way, and still "adhere" to the OAuth2 specification. What if I ran a service with a single scope for all your information? What if my description of such scope in the consent page was misleading?

More generally, it is often a criticism of the OAuth2 specification that it leaves critical elements out for the implementers to make up by themselves, leading to all sorts of problems. The wikipedia page briefly brushes on them (please feel free to go down the rabbit hole and read up on it).

But this does not make OAuth2 itself intrinsically insecure.

Addressing the current Cambridge Analytica scandal: Facebook, for all that could be held against them, run a reputable OAuth2 implementation and have been providing this service for years before this event. People who surrendered their information in the Cambridge Analytica debacle must have initially clicked through the consent screen, which must have displayed an item about disclosing their friends circle, when using the psychological profiling app that ended up fishing (not phishing) for all this information. It seems however, that Facebook has at least been "negligent" in enforcing its data usage policy (make up your own mind).

Edit: @Ian commented that the Cambridge Analytica’s app users may not have given explicit consent for their friends data to be pulled. I suppose it means Facebook may not have been straightforward in the description of their scope.

As for your last question, an OAuth2 provider is not able to tell any more than when and how often the third-party service accesses the scoped information. It cannot know what you are doing with the third-party service, or for that matter, what the service is doing with your information. It's (rightly) out of their hands.

korrigan
  • 400
  • 2
  • 12
  • A lot of the concern is that the 270,000 people who were paid to take the initial tests by CA did not grant any explicit permissions for their friends' data to be harvested. The facebook API simply allowed it, 'as long as it was for academic research'. I think this facility was used by 11.7% of 3rd party FB devs iirc (at that time period). –  Mar 22 '18 at 08:30
  • Thanks for this precision, I wasn’t sure about it. I guess it then boils down to « do you trust your identity provider to act ethically? ». – korrigan Mar 22 '18 at 08:53
  • @Ian i have edited my answer to reflect your comment. Thanks. – korrigan Mar 22 '18 at 08:57
  • When the user is redirected to the ID provider's oauth2 server (Google or Facebook in this case), in that request is the name of the site you are signing up to. I don't know what, if anything, Google or Facebook does or if it shares that information. So for example, if you use your Google account to sign up for a web site about dogs, Google then knows you have an interest in dogs. This may not be related to the CA scandal, just that there is "information leakage" in oauth itself, if that concerns you, create a login using a user/password instead of using your Google or Facebook account. – Michael Grant Sep 22 '20 at 09:34