Posted on

One oAuth 2.0 hack, 1 Billion Android App Accounts potentially exposed

How safe is data on your smart phone app, not as safe as you think. Using smart phones as a payment system may have its risks.

Security researchers demonstrated that a Wrong OAuth 2.0 implementation allows a remote simple hack that exposes more than 1 Billion Android App Accounts.

Hacks
OAuth2.0 hack – information that can be accessed by criminals in hacked applications

A remote simple hack devised by a group of security researchers threatens an amazing number of Android and iOS apps. An attacker can use the technique to sign into any victim’s mobile app account without any knowledge of the legitimate user.

The research team from the Chinese University of Hong Kong is composed of Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. The experts discovered that the vast majority of popular mobile apps that use the single sign-on (SSO) service doesn’t properly implement the OAuth 2.0 protocol.

The OAuth 2.0 authentication protocol is widely used on social networking sites, every day billion of users access their profiles on Facebook and Google+ using it.

Using the OAuth 2.0, users can sign in for third-party services by verifying existing identity through their accounts on popular web services such as Google, Facebook, or Sina.

Once authenticated, the users haven’t to provide their credentials to access other services implementing the OAuth 2.0 protocol.

Orginally posted on securityaffairs.co

read more…