November 17, 2016 by

OAuth 2.0 Claims it is Still Secure, “If Used Properly”

In the aftermath of the revelation that a billion mobile apps could be hijacked through a vulnerability in OAuth 2.0 – as discovered by three Chinese researchers from the University of Hong Kong – OAuth 2.0 has claimed it is still secure, for non-mobile implementations.

In an email to customers, OAuth 2.0 has unsurprisingly reached out to quell fears about a security compromise of its API, as revealed by Chiense researchers.

In an attempt to reassure customers, the company writes in plain bold text:


As an easier way of describing it to customers, OAuth 2.0 states that app developers used the global user identifier as their app’s password with their own servers. “It is not the protocol, but their implementation” that is the cause behind the shoddy security, the company argued.

With an example, the company pointed to SSH (Secure Shell), a network protocol that is, by design, secure. However, if a developer were to hard-code the authentication certificate in clear text, the security would be obsolete.

The company then explained:

The fundamental flaw is that some mobile app developers are lazy and will use the mobile device’s global user identifier instead of issuing their own identification token for their app.  It is completely unrelated to the web-based authentication method used by the original, non-mobile version of OAuth used by Avanan. 

As LIFARS reported yesterday, the researchers assessed 600 of the top apps that used OAuth 2.0 APIs from identity providers Facebook, Google and Chinese-based Sina, the operator of popular platform Weibo. Some of these apps are the most downloaded in the world, with hundreds of millions of downloads in some cases.

Altogether, the apps tested by the researchers had been downloaded over 2.4 billion times. The researchers concluded their testing by revealing that a little over 40% of those apps, were vulnerable. That’s a billion downloads of applications currently on users’ phones and other mobile devices.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

40% of Android Devices at Risk of Screen Hijack Exploit

Security researchers have uncovered a significant flaw in Google’s popular mobile platform...

Read more arrow_forward

A Billion Mobile Apps are Vulnerable to Account Hijacking

Three researchers from the University of Hong Kong have determined that third-party applications...

Read more arrow_forward

Yahoo Data Breach Compromises Half a Billion User Accounts

Yahoo has finally confirmed the results of its investigation of a data breach and it does not make...

Read more arrow_forward