Okta Acknowledges Customers Affected by Lapsus$ Attack – Computer – News
Home » Business » Okta Acknowledges Customers Affected by Lapsus$ Attack – Computer – News

Okta Acknowledges Customers Affected by Lapsus$ Attack – Computer – News

by

Before you try to correct me in this ‘friendly’ (/s) way, I’d look it up myself

I’ve got it not about the risk that, for example, Tinder can access my Facebook data, but the other way around…. Facebook can access my Tinder data.

If you use Social login, is there is often no password at all (unless you combine it with a password system). So the whole story about passwords is not relevant here either.

Such a party cannot simply log in to your account with username and password because they do not know the latter. They also don’t have any data from the application to log in directly there, just a client id and secret to initiate a request for authentication and thus get the url where the user has to navigate to to log in. That redirect back (+ all checks whether that url is allowed etc) with a code. The application makes another request to exchange that code for an authentication code and voila, logged in. Now it is even the other way around that the application has access to the third party via an API and not the other way around.

Your story is correct, but you skip the last step: Tinder now has, thanks to the authentication code access-token, access to some of my Facebook data (email / maybe some photos). But what now? I really want to log into Tinder. Behind the scenes this is what happens:

  • 1. Tinder requests the email address associated with the access token from Facebook.
  • 2. Tinder checks, with Facebook, whether the access token has really been issued for the Tinder application, and not for something else.
  • 3. If this is correct, then Tinder knows for sure that I am the owner of the Facebook account associated with that email address, I that I want to log in to Tinder.
  • 4. Then I can access my tinder account/photos/chat history.

What is the most important piece of information in this flow? The access token…. who can generate that? facebook. Who can access my Tinder data? Facebook (FBI/FB employees/hackers).

That’s where I see the danger. This can be prevented by a 2FA solution that not owned by Facebook.

Let me put it another way:
I have for Tinder no password set. Where is paste the necessary information to log in, if not with Facebook?

In short, do yourself a favor and read up on how things like that are implemented.

In short, try to be a little friendly. We both have enough knowledge to have a normal discussion about this :)

Related posts:

PTT Oil and Bangchak Corporation Announce Reduced Gasoline and Gasohol Prices for New Year Festival
Volt sends Gündogan away, in the room next door sings the SGP
Repaying a Consors Finanz loan - Instructions
BCR: Trade balance accumulated 8 continuous years of surplus
How much fresh money does Delivery Hero need? – FINANCE

How much fresh money does Delivery Hero need? – FINANCE

PS5 will soon get important VRR update

PS5 will soon get important VRR update

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.