8

Sites like stackoverflow, quora, and many more offers sign in from Google/Facebook. In the event that there is a data breach or the site is hacked, is there any security risk to your Google/Facebook account?

schroeder
  • 123,438
  • 55
  • 284
  • 319
rcs
  • 181
  • 2
  • Are you asking specifically about Google and Facebook, or about third party login in general? Some of the answer depends on how the third party login is implemented - it's possible to do it in a way which avoids risks, but it's also possible to do it in a way which exposes the third party data in the event of a data breach. – Matthew Dec 04 '18 at 15:31
  • It would depend on how it is implemented but my gut reaction is almost certainly not. Usually when you authenticate with facebook for instance...the process should inform the user what sort of information facebook will share with the third-party site. This information could be stored by the third party and be exposed...the login credentials and other private information for the users facebook account are not exposed in this scheme. – DarkMatter Dec 04 '18 at 16:14
  • @hshantanu no it is not. The question is if the website using 3rd party auth exposes risks to the 3rd party if the site is compromised. Cambridge Analytica is a completely different issue. – schroeder Dec 04 '18 at 16:52
  • I'd say specifically Google and Facebook, as both of them are the most common. It used to have OpenID too, but now it is no longer used. – rcs Dec 05 '18 at 00:33
  • I don't see the question addressed of how you could be sure that a third party site was not presenting a spoofed Google login screen where you could give them your login credentials. For example, reputation.com sent me, apparently, a request to click on a link to a Colombian tld the other day to rate a local doctor. I instead went to the web in a browser on a laptop and checked it. The .co redirected to service.reputation.com with https commands apparently requesting a Google Review link. I declined to logon, not recognizing the mini blue window requesting "sign in with Google account..." – Dalton Bentley May 18 '22 at 15:01

2 Answers2

2

If the application keys is leaked after the website being hacked, the attacker can act on the permissions authorized by you to the targeted site. Like if you have authorized the site to manage your google drive then they can view your google drive so similar abuse can be carried out with facebook and other oauth compliant websites.

Aayush
  • 557
  • 6
  • 17
0

It all depends on how the sites likes Quora, StackExchange, etc. store your keys that are used to authenticate you via Google or Facebook account.

The keys may be stored in plain text or in Cipher text.

Now let us consider that your Quora account got breached.

If the keys are stored in plain text , then your Quora account can be accessed by attacker without any difficulty or hard work.It may then be used to change the password of your Quora account, and other abuse activity. If you are using the same logins for your Facebook/Google account, then these accounts are also breached.

If the keys are hashed(encrypted) by Quora, then the attacker need to use OphCrack like tools to crack(bruteforce) this rainbow tables.If case if he/she is successful , then your Google/Facebook account is compromised.

To avoid being breached , below are recommendations:

  • Never use same password to get authenticated to all the sites.
  • Always use MultiFactor authentication(MFA) where ever possible.
  • Please read the Terms and Conditions and Privacy Policy of the site that you are registering, to see how that site is handling your personal data
nocut
  • 186
  • 8