Recommend leading by example

[DelJo63]

This topic
https://www.techspot.com/community/topics/what-gets-exposed-using-login-using-facebook.246106/
discloses undesirable privacy leakage in the OAuth API.

To show leadership, I suggest Techspot give advance notice and discontinue the Login using Facebook and Twitter.

 

[DelJo63]

In addition, consider that not everyone will be aware of this issue and continue to just do the easy thing (aka lemmings).

The Techspot response on the topic reflects on the site and technical integrity. Whereas revenue is not attached to the implementation of the OAuth API, to ignore the issue is to say IMO, "Techspot doesn't give a D**n". That too would IMO be most unfortunate.

 

[Rich M]

Good point I hope everyone reads both these threads including forum ownership of course.

 

[Julio Franco]

I saw your other thread and while some concepts are correct, you seem to be overgeneralizing.

User privacy is very important, and as we've learned again and again, good practices such as never repeating passwords, or granting access to services you shouldn't, is your first layer of defense against potential malicious actors.

As far as I know, there's nothing really wrong with OAuth. And we keep up to date on our services/software patches, including those that use the Facebook and Twitter login options. Which are just that, options to ease new users into logging in. We do not request more permissions than needed, just the basic stuff.

With all of that said, the personal identifiable information we collect is close to non-existant which works in our favor (or rather, our readers' privacy) and we're working on improving upon what we already have established, among other reasons to comply with EU's GDPR initiative.

 

[Rich M]

Good point in that Tech Spot does not collect much personal information but what is here is at least a start if some party was interested in going further and really what value is it to Tech Spot to allow signup with social media resources anyway? For the forum I don't see any but for other services I suppose it does make sense.

 

[DelJo63]

As far as I know, there's nothing really wrong with OAuth.

Technically, that is correct - - it functions according to its design spec. HOWEVER, that api is designed to share the users email address and that is the exposure. Third party software gains access to that which it should not and with that, it can begin a password reset sequence to compromise the user.

It's your site, your name and your reputation so it's your choice.

 

[Julio Franco]

Email address is a requirement for logging in on TechSpot either way...

 

[DelJo63]

Yes but it's User directly to TS. The path User->FB->TS exposes the email. Suggest you reread the article.

 

[DelJo63]

I saw your other thread and while some concepts are correct, you seem to be overgeneralizing.

Summary information is always an over generalization - - the devil is in the details.

 

[DelJo63]

Ukrainian hackers used online quizzes

The CNN.com article implicates the issue with the OAUTH api.