[cybersecurity] Login with social account

🇦🇲 Հայերեն

Often in various websites and applications we can see buttons called “Login with social account”. The most common are login with Google, Facebook, Twitter and more similar famous websites. Let’s try to understand, what these buttons are for, benefits of these buttons, the information risk arising from them and ways of protecting the information.

Purpose

What are these buttons for ?

They allow applications and websites to identificate users.

Who is a user ?

When you use any application or website you automatically become its user. Even if the website doesn’t have any information about you in its database, anyway, you are a user of that website.

Why is identification necessary ?

Depending on an application or a website, identification may be necessary for different purposes. For example, you login to your email account to see your messages or login to various online stores to let that store know where to send bought things.

What identification ways exist ?

1. The most common way of identification is to input into forms all the necessary data that is required from a user. A user clicks on the “Sign Up” button, types his personal data, creates a password, confirms his email or phone number. After registration the user should do one more step to become an identified user. The user should login to his account using his email(username/phone number) and the password created by him during signing up. That’s all, now he is an identificated user and the application already has information about him in its database.

2. To avoid the steps above described, the concept of the social login was developed, which allows to get the same results without disturbing people so much. Identification using a social account, requires just clicks on a few buttons. Let’s see how this second way of identification works.

Companies

As we all know there are IT companies which are leaders in this field. They are Google, Facebook, Amazon and more companies like them. These companies have a lot of authority and trust in the world. Almost all the events happening in the IT field are related to these companies.

So a number of companies by taking advantage of their reputation and trust give other companies a chance to identificate users based on their databases.

How does social login work ?

Concept of social login is very simple, it is done in the following steps:

  • User opens an application or a website and sees “Login with social account” button
  • By clicking the button he redirects to the social website
  • Then the social website tries to identificate the user
  • After identification the website informs the user about transferring his personal data by showing the list of data which is going to be transferred and asks to confirm that. Usually during this step a user is able to choose only those permissions which he wants to be allowed.
  • Here the user can either cancel the identification process or accept it and redirect to the initial website/application with already identified status.

Login with Facebook

As an example, let’s look at “Login with Facebook” which is done in the following steps:

1. User launches the application and sees the button called “Login with Facebook”

2. By tapping on that button he redirects to a page which has the following content:

  • Name and logo of the application
  • The list of information which is going to be sent to the application
  • Continue and cancel buttons

3. By tapping on the continue button, the user redirects to a page where he can restrict permissions and information which he doesn’t want to be available for the application

4. Now on this page he is finalizing identification process by tapping on the confirmation button

5. Thus the user is redirecting back to the initial application with identified status and can be appeared in different pages depending on the application.

Frequently Asked Questions

Question 1. In addition to the risk of information leakage, what kind of risks can this way of login cause ?

There are different types of websites and applications which manage social accounts of users. For example, there are applications which manage facebook pages by creating posts, launching ads and replying messages. Usually such applications ask for not only user personal information but they also ask for some permissions to be able to do listed actions on a facebook page.

So it turns out that by giving such permissions to the application, you automatically allow applications, for example, to create posts on your facebook page without your knowledge.

It is suggested to give such permissions only to applications and websites which are reliable. Otherwise there is a chance that your social account will be under control of some unknown website or company which will be able to do some unwanted actions with your account without your knowledge.

Question 2. Is there any company or a system which will not allow to abuse users’ trust ?

Almost all the social websites, which allow other applications to use their databases, have their own reviewer teams which control all user information and permissions which other applications and websites are going to use.

Question 3. Is it possible to cancel already accepted permissions ?

Yes. Users have a chance to manage the list of applications that they gave permission. It’s possible to do by logging into the social website and by navigating to the connected applications section.

Question 4. How can it be detected when an application abuses users’ trust and takes data which is not necessary for it ?

It is necessary for the user to know exactly why he enters the application and what opportunities that application will provide him.

For example, if it is an application where users’ phone number doesn’t matter, but the application tries to get it, then it can most likely be an abuse of trust. In this case, it is recommended either cancel the login or ban the transfer of information that raises suspicion.

Question 5. If there are different ways of login which one is more preferable from the point of view of security ?

From the point of view of security it is preferable to login with the most common way where a user fills in his personal information manually without connecting his social account to the website or application. In this case it is necessary to be mindful and don’t input any unwanted personal information.

However, this method has a drawback, it is time-consuming and requires certain actions from users. People prefer to login with single touch instead of filling in complicated registration forms. Taking this fact into account, it is also recommended to use the short way of login but only by reviewing permissions and by restricting them if necessary.