Is Open Authentication really secure?


thinkingboy_outlineI have been using Open Authentication for over a year now, in that time I feel I have become comfortable with the knowledge of how it works.   That knowledge lead me to start thinking a little out of the box, with regards to how we are allowing people to access our data.   I began to wonder how the access we give could be in my opinion miss used.  In this post I’m going to take you on a quick tour of how Google Open Authentication works.  Then we are going to take a look at what I believe could be a few problems.

What is OAuth?

Open Authentication (OAuth) is a way for you to allow programs, applications, and website access to your data.       You are normally given a pop up window where it says that said application would like access to your information.    Below you will find two examples the first one is an application “Google Analytics Windows” asking for permission to Access your Google Analytics data.   The Second is a login to a website asking to View your basic account information.

          Oauth2 WebLogin

 

How does it work?

When you hit accept what happens is that Google gives the application or website an Access Token and a Refresh Token.    The Access Token is used to access your data,   an Access Token is only good for about an hour after that time it expires and they must request a new one.   The refresh token is good until you  until you revoke access (changing your password does not revoke access),  by using the refresh token the application or website can request a new Access Token to request your data with.   Not to confuse you but here is what an Access Token looks like:

ya29.1.AADtN_W8vxWj_pTi61VhaEmjjD3ujg1q5lVE292MAMJfXubpRZ4GghulJBp2pTqsZKvMuluVlWZ1Jmk-uEc

That may not mean much to you but to a computer system its an open ticket.    Remember even if you change the password on your Google+ account these systems will still have access to your data.    Why? Because they can at anytime use the Refresh Token to get a new Access Token and have instant access to your information.    Until you revoke the access they can still be requesting your data.

Here is where I start to question the idea of OAuth.  They technically don’t have to wait for you to run their program to access your data, they can do it anytime they want.   If you log in to a website using Google+ you may never go back there again but they could still be checking your personal information.  What could they use it for?  In my opinion this information could be very useful for analysis.   They know you haven’t come back, but they don’t know why you haven’t come back.   Websites want you to come back right that’s the hole point behind Google Analytics analyzing traffic to figure out how to keep you there and keep you coming back.    They could use the refresh token to go check your data against the data of their other customers to try and analyze why you aren’t returning.   They could also sell this information to someone else right?  Would they do that?

What about applications that access the other APIs?  What if you gave them access to your Google drive?  Remember you gave them access, you said they could do it.   They didn’t tell you when they where going to do it. They also didn’t tell you that they would only do it when you asked.   Depending upon the type of application they may have to supply you with some kind of “Data usage policy” telling you what they are doing with your data.  But how can you tell if they are sticking to this policy?   Does Google give you a way to see this?  Not one that I have found, and I have looked.

Basic information

Websites you log in to with your Google account normally ask for the right to view the  basic information for your account.  Sometimes they ask for your Email information as well.    It really depends on the site what information they ask for,  you do read it right?   Lets see. What exactly does Google define as basic?   Google is very nice and gives its developers a way of testing out things.  If you want to try and see what kind of information you are allowing them to see you can test it here:   Try it    You are in fact giving them access to a lot of data about your Google+ account.  (Skills, occupation, URLs, name, tagline, bragging rights, about me, image, schooling, places lived, language, age, number of people that have you in circle)

Who has access?

Can you remember everyone that you have given access to?  I couldn’t so I decided to try and see if there was somewhere in Google I could find this information.   I have to say what I found shocked me.

The First page I found was App Settings in Google+.  This page didn’t give me any surprises.    Below you will find a list of apps 3 of them are my own.  I knew about all of these.   Did you find anything you didn’t expect?

App Settings google+ 

The second page I found is called Account Permissions.  This one was a bit of a shock, I found 29 entries.   The list is very nice,  you can click on each item and it displays a date of when you Authorized it.   Unfortunately it doesn’t  give a date as to the last time it accessed my data.     Here is one that I had a big blank on,  I have no idea why they have access to my Google Analytics data, and they have had access since July.  That bothered me for some reason.   A company I don’t remember giving access to has had access to my data for 7 months.    I am not saying they have done anything, but I can’t be sure because I have no way of knowing when they last accessed it.    I Googled the company but was unable to find out what app or programs they have,  it must have been something I was testing.

BarracudaDigital 

After removing all the unknown unwanted ones I was down to 17.   That’s a lot of applications and websites that have had access to my data that I no longer used.

There is a third site which gives almost the same information as the one above but a little less fancy.   Authorized access to your Google account.

What I would like to see

While I think asking Google to show me exactly what they are sending to these company’s may be a little much to ask.    I think it would be a good idea to show us when they are accessing the information.     If they are scanning my profile for analysis I want to know about it.   Its my data!

I’m not sure what to do about the password issue.  If I change my password should I at least be prompted by Google about these  Authorized Access?  Should Google be telling the average user that changing their password wont affect Authorized assess, and tell them how to check that?  Yes I think they should.

Conclusion

In conclusion I would just like to say I think we are being to trusting with OAuth its simple click Accept and your in.   But we aren’t questioning enough what they are doing once we click Accept.    I think we should.

I leave you with a few questions:   Is OAuth easier to use then logging in with your login and password all the time?  Is it safer?  Do you after reading this and seeing who has had access to your data believe that  your Data is safe?


About Linda Lawton

My name is Linda Lawton I have more than 20 years experience working as an application developer and a database expert. I have also been working with Google APIs since 2012 and I have been contributing to the Google .Net client library since 2013. In 2013 I became a a Google Developer Experts for Google Analytics.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.