Web apps have become so complex that they’re unsafe to use, researchers say
The shared-login tokens and processes used by many web-based apps and services, as well as some web apps themselves, are fundamentally insecure and create a potential gold mine for hackers, three security researchers said at the Black Hat and DEF CON computer-security conferences here last week.
The problem is that today’s online services are so complex and difficult to understand that hackers, phishers and other crooks have plenty of opportunities to steal files, implant malware and gain access to accounts.
“Lots of bad assumptions were made when protecting these protocols,” said Jenko Hwong, a researcher at Netskope whose DEF CON talk Saturday (Aug. 7) focused on glaring weaknesses in the OAuth open-authentication protocol used by Microsoft, Facebook, Google, Twitter and hundreds of other companies. “OAuth is a mess, and no one understands it all.”
In the DEF CON presentation just before Hwong’s, Snapchat researcher Matt Bryant showed how Google’s own cloud-based Apps Script development tool makes it easy to hijack Google accounts and gain access to files, contacts and emails in the online Google Workspace environment.
And at Black Hat on Thursday (Aug. 5), Matthew Weeks of Deloitte showed how file-accessing web apps that are supposed to be restricted to specific directories can “escape” their confines and end up hacking desktop computers.
How you can protect yourself
To minimize the risks of phishing attacks that abuse OAuth and Google Workspace, you could in theory log out of each account when you’re finished using it for the day, in order to kill the access tokens and session cookies, but you’d have to do so on each device on which you’re logged in.
This creates tremendous inconvenience. Who really logs out of Twitter when they’re done using it? Who’s going to log out of Google every day on each PC, Mac or smartphone they own, only to log in again the next day? And furthermore, you’re vulnerable again as soon as you log in.
To minimize the risks of file-altering web apps, be very alert when a website asks you to grant permission to a file or folder on your PC or Mac — and be sure that the files that you grant access to have specific names.
You’ll also want to install and…