Why not to use third-party applications? | Forensic 101
Everyone and everything is online now. We live our lives online, we chat online, we shop online and we even learn online. Our finances have shifted online too, especially post demonetisation. The government is striving to make our economy digital. Digital India is their goal. It sounds well and good. A digital economy will mean fewer cash frauds, easier transactions and a significant decrease in the flow of black money.
However, going digital isn’t really the safest bet. Hacking and online attacks are an everyday phenomenon. Online fraud, identity theft even online robberies happen all around the world on a daily basis. This is one of the main reasons we need to educate and take digital forensics seriously.
We at Forensic 101 create videos on the digital frauds and hacks that takes place in day to day life, hence educating people and making internet a safe place. We work closely with DIgital Forensic Solution companies and education institutes.
Three researchers from the University of Hong Kong presented a paper at Black Hat,EU describing that third-party applications that allow for single sign-on processes via Facebook and Google by supporting the OAuth 2.0 protocol are exposed to account hijacking ostensibly putting one billion apps vulnerable to account hijacking.
The researchers carefully examined 600 of the top apps that use OAuth 2.0 APIs (Application program interface) from Facebook, Google and Sina, in the United States and in China and discovered that 41.2 percent of the apps they tested were vulnerable to their attack. These apps include popular chat, hotel booking, dating, travel, shopping, finance and music applications. By aggregate, the apps tested by the researchers had been downloaded more than 2.4 billion times, and a little over 40% of those apps mean that over a billion are vulnerable. After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have full access to the victim’s sensitive and private information (chat logs, photos, contact lists) which is hosted by the backend server(s) of the vulnerable mobile app.
