3rd Party Login & Security Risks

TL;DR

Yes, attackers can intercept your credentials even when logging in through a third-party service (like Google or Facebook) on an insecure website. While the third party handles password storage securely, the communication between you, the website, and the third party can be vulnerable if the website doesn’t use HTTPS.

Understanding the Risks

Third-party logins simplify access, but they don’t automatically make a site secure. Here’s what’s happening behind the scenes:

• You authenticate with the 3rd party: You log in to Google/Facebook etc.
• Token Exchange: The third party creates a unique token and sends it to the website. This token proves you’re logged in without sharing your password.
• Website Verification: The website uses this token to confirm your identity with the 3rd party.

The vulnerability lies in step 2 & 3 – the exchange of this token. If the connection isn’t secure (HTTPS), an attacker can intercept it.

How Attackers Intercept Credentials

1. Man-in-the-Middle (MitM) Attacks: An attacker positions themselves between you and the website, capturing all data transmitted. This is easier on public Wi-Fi networks without proper security.
2. Packet Sniffing: Attackers use tools to capture network traffic and look for unencrypted tokens being sent back and forth.

Steps to Protect Yourself

1. Always Check for HTTPS: Before entering any credentials, ensure the website address starts with https:// and displays a padlock icon in your browser’s address bar. This indicates an encrypted connection.

   Look for this padlock!

2. Avoid Insecure Websites: If a site doesn’t use HTTPS, avoid logging in through any method, including third-party services.
3. Use Strong Passwords on 3rd Party Accounts: A compromised third-party account can give attackers access to all sites using that login. Enable two-factor authentication (2FA) wherever possible.

   Enable 2FA for Google, Facebook etc.

4. Review App Permissions: Regularly check which apps have access to your third-party accounts and revoke unnecessary permissions.
5. Be Wary of Phishing: Attackers may create fake login pages that look like legitimate third-party services or websites. Always double-check the URL before entering credentials.
6. Use a VPN (Virtual Private Network): A VPN encrypts your internet connection, protecting your data from eavesdropping, especially on public Wi-Fi.

   Consider using a reputable VPN service.

7. Browser Security Extensions: Install browser extensions that warn you about insecure websites and potential threats (e.g., HTTPS Everywhere).

What if I’ve Already Logged In on an Insecure Site?

1. Change Your Password Immediately: Change your password for both the website and your third-party account.
2. Revoke Access: Revoke access to the website from your third-party account settings.
   For example, in Google Account Security settings, check ‘Third-party apps with access’.
3. Monitor Your Accounts: Keep a close eye on both accounts for any suspicious activity.