Implications re security practices of full account access granted to third parties

Question

I'm working with a company (say, Acme) that does some ongoing data collection and processing for me. The data in question is private but not all that sensitive. Part of Acme's service has password-protected access via the web, so Acme obviously needs to be handling security around internet-facing services.

A few days ago I wanted to enable a feature that would involve Acme streaming some of my private (but not all that sensitive) data to a third company (say, Bravo), and during the feature enabling process I got a warning that Bravo would be granted full access to my Acme account. (So I didn't proceed.) I've since confirmed with Acme that "right now" that's how it works (it really is full access, Bravo could [but in theory won't] change my account password, cancel my service, etc.), though they have plans to tighten it up in the future.

This makes me wonder about Acme's internal security processes. I'm no expert in this area, but only granting minimum access is really basic, right? If they're not doing it when connecting with an external company like Bravo, is that a big red flag in terms of what else they're doing in terms of security best practices internally? Or given that everyone has contracts with everyone else, not really that big a deal?

Answer 1

Of course, a lot of things like that will come down to trust. You either have to completely trust Bravo to not do any harm (intentional or accidental), or you could assume everything is compromised. Depending on how access was granted to Bravo, you may want to take steps to secure your account, such as verifying personal details and changing your password.

This makes me wonder about Acme's internal security processes. I'm no expert in this area, but only granting minimum access is really basic, right?

The principle of least privilege is well known, but unfortunately not all software is written with security in mind. Sometimes, the deadline to push out a new feature causes security to be ignored in the meantime. Or perhaps Bravo isn't able or willing to support a better method at this time.

If they're not doing it when connecting with an external company like Bravo, is that a big red flag in terms of what else they're doing in terms of security best practices internally? Or given that everyone has contracts with everyone else, not really that big a deal?

It's hard to make assumptions like that without having concrete details about their internal practices. As far as whether it's a big deal, it probably comes down to trust and risk tolerance. In this case, it sounds like there wasn't much sensitive data in the account. However, in the past, some popular budget management apps required you to enter your credentials for your bank account in order to pull your transactions (perhaps still the case, depending on the app and bank). I'd say this is much more risky access, since your entire bank account is in the hands of a third party. Yet this was (is?) "acceptable" practice (acceptable as in, supported by large banking institutions, although it has raised questions).

The typical solution to this problem would be to use something like OAuth. Using OAuth, Acme would let you choose to delegate limited access to your account in the form of an authorization token that is shared with Bravo. Ideally, the token would only provide the minimum set of privileges necessarily to carry out the required actions.