Blog | G5 Cyber Security

Can Apps Post As You? (Identity Provider Security)

G5 Cyber Security

TL;DR

Apps can post as you if they have permission through an identity provider like Facebook, Google, or Microsoft. This is usually controlled by OAuth scopes and app permissions. Regularly review and revoke access to apps you no longer use or trust.

Understanding the Problem

When you log into a website or app using “Sign in with Google” or “Continue with Facebook”, you’re granting that app limited access to your account information through an identity provider (IdP). This isn’t full account control, but it allows the app to act on your behalf within defined boundaries.

How Apps Get Permission

  1. OAuth Scopes: When an app requests access, it asks for specific scopes (permissions). For example:
    • email: Allows the app to see your email address.
    • profile: Allows the app to see basic profile information like name and picture.
    • publish_actions (Facebook): Allows the app to post on your behalf.

    You’ll usually be presented with a screen listing these scopes before you grant permission.

  2. App Permissions: Some platforms have more granular permissions settings within their security settings. These allow you to control exactly what each connected app can do.

Can Facebook Post Stack Overflow Questions?

Yes, technically an application connected to your Facebook account could post on Stack Overflow (or other platforms) if it has the necessary permissions and uses the Facebook Graph API correctly. However, this is unlikely for a standard app. It would require specific coding within the app itself.

How to Check App Permissions & Revoke Access

  1. Facebook:
    1. Go to Settings & Privacy > Settings > Apps and Websites.
    2. Review the list of connected apps.
    3. Click on an app to see what permissions it has.
    4. To remove access, click Remove App or adjust individual permission settings.
  2. Google:
    1. Go to My Account > Security > Third-party app access.
    2. Review the list of apps with access to your account.
    3. Click on an app and choose Manage Access.
    4. You can either remove access completely or adjust specific permissions.
  3. Microsoft:
    1. Go to My Account > Privacy > App & service permissions.
    2. Review the list of apps and services with access.
    3. Click on an app and adjust permissions or remove access.

Protecting Yourself

  1. Be Careful What You Connect: Only connect apps you trust to your identity provider accounts.
  2. Review Permissions Regularly: Check app permissions periodically, especially for sensitive accounts like email and social media.
  3. Use Strong Passwords & Two-Factor Authentication: Secure your identity provider accounts with strong passwords and enable two-factor authentication (2FA) whenever possible. This adds an extra layer of security even if an app is compromised.
  4. Monitor Account Activity: Regularly check your account activity for any suspicious posts or actions you didn’t authorize.

Technical Details (For Developers)

OAuth 2.0 and OpenID Connect are the standards used for granting limited access to user accounts. The scopes requested by an application determine what data and actions it can perform. It is crucial that applications only request the minimum necessary scopes.

# Example OAuth 2.0 authorization URL (simplified)
Exit mobile version