5

Logging in to websites using mainstream IDs (Google/Facebook/Github etc.) by means of OAuth (or similar) has nowadays become a feature that people expect.

Not that long ago the corresponding user experience included popups asking if the website should be allowed access the user's data from the ID provider. But today even that is no longer a norm: you can login with just a single click (for example, logging in to travis-ci.com with GitHub account).

Setting aside legal limitations (GDPR etc.), is it technically possible for websites to silently attempt to log visitors in with a range of ID providers in order to figure out who is visiting and grab whatever data is grabbable from those providers?

In other words, when I browse websites while logged in to say Facebook, are they technically able to log me in behind the scenes and see my name and whatever Facebook lets them see?

Greendrake
  • 669
  • 1
  • 8
  • 17
  • 3
    In a practical sense, websites can simply make a button labelled "Click here to connect evil.com to Facebook!" and most users would probably be like "Heck yes!". –  May 17 '19 at 10:55

1 Answers1

1

It depends.

Can websites see if you are logged into?

Yes, if you have third-party cookies enabled.

Are they able to log you in behind your back?

This shouldn't be possible.

Can they grab data from a website site?

I'm not to sure on this one but this should depend on the security of the website. Maybe you could do some mischief but properly set up x-frame-options in combination with a secure CORS implementation should prevent most of it.

Please note I only mention CORS because it plays a role in the practical implementation of such systems and has no direct security benefits.

BloodViolet
  • 29
  • 7
  • "_This shouldn't be possible._" If I can log in via OAuth just by pressing a button, why should not it be possible to "press" such hidden button without my action or knowledge? – Greendrake May 17 '19 at 19:29
  • @Greendrake: Why? Because of CORS. – mentallurg May 19 '19 at 23:38
  • @mentallurg What makes CORS prevent it that doesn't when button is clicked by user? – Greendrake May 20 '19 at 04:45
  • @Greendrake I just realized that I did not word my answer properly, so let me clear things up. If everything is properly set up (X-Frame-Options, CORS) you can't click on a hidden button because it does not allow to embed the login page on a different domain. CORS does only help indirectly as it helps to implement a secure resource sharing. – BloodViolet May 23 '19 at 08:38