How I Hacked Into Facebook Login To Get Access To Uber, Ola, Zomato, Snapdeal & More

How I Hacked Into Facebook Login To Get Access To Uber, Ola, Zomato, Snapdeal & More

While researching for our new venture TOTUM, we hacked around facebook login,  looking for alternate login methods. This is when we discovered  a major security breach, which can compromise your data across multiple platforms.

In simple words,  whenever you choose the “Login Through Facebook” option on any website or mobile app, you expose every other account where you ‘logged in through Facebook’ including Uber, Snapdeal, Zomato and Foodpanda among the rest.

How Facebook Login Works

security breach

Security Breach

Let’s say you login to app X via Facebook. X will receive an access token from Facebook and will send it to X’s server and save it.

But now X can use this same access token to login to any and every other platform impersonating you and access your data ranging from your recent orders on Zomato or your purchase history from Snapdeal to getting access to your private messages and the list goes on.

We tested out this security breach on our TOTUM app’s test run and to our amazement, by using a single access token that we received from Facebook, we were able to access the entire account history of that user on a series of big players like Zomato, Foodpanda, Snapdeal etc.

login access

Our Evil Plan

We initially  thought of creating a chrome plugin that can inspect the web pages before viewing and blur the text where GOT (Game of Thrones) related information is published, so that you do not read spoilers.

Our guess was such a plugin would have received a pretty generous number of user downloads. But this plugin would have been infected with a virus that reads your Facebook access token and scraps user data from different target sites. This would have given us a huge user account base to begin our exploits.

But the genius yet kind souls that we are, we decided instead to post about this breach and alert the unsuspecting net savvy souls who are ever so eager to ‘Login through Facebook’ and save the extra 2 minutes, about the consequences of this simple step.

Food For Thought

Would you want every online account you ever create to be available for misuse by any random app? Isn’t it scary to think anyone can book rides using your Uber account and pay using your PayTM wallet ?

Facebook has access to all the information about every platform which provides the ‘Login Through Facebook’ option. They can scrap from all the platforms anytime they want.

Until this issue is resolved, your online data is all up for grabs.

[This article is contributed by Mohit Bagga, Co-Founder & CTO @ Codebibber & Tajinder Pal Singh Chahal]

Note: The views and opinions expressed are solely those of the author and does not necessarily reflect the views held by Inc42, its creators or employees. Inc42 is not responsible for the accuracy of any of the information supplied by guest bloggers.

Author

Guest Author

Community

Inc42 Magazine has a lot of great guest authors, from techies, entrepreneurs to Silicon Valley CEO's, Angel's and many more. Interested in contributing? Mail us at [email protected]!

Responses
https://inc42.com/flash-feed/snapdeal-trolls-flipkart/

Upcoming Events