Are oAuth login plugins that match on e-mail accounts really secure?

Standard

I’ve been playing with the oneall social login plugin for WordPress, to ensure it works well with WP-United. So far it seems to be excellent… but…

By default, the plugin’s settings are such that, after you’ve created an account via a social network login, it tries to link your login to an account that already exists on your site.

This sounds like a nice idea… it means that you don’t end up with two accounts. However, it does this by matching to existing accounts on your e-mail address. And it does it silently — if it finds a match, it doesn’t ask for a password for the existing account.

It’s not only this plugin — a lot seem to do this.

This post is a question, rather than a solution: How is this secure? What is stopping someone from changing their e-mail address on a social site to admin@site-i-want-to-access.com, and gaining passwordless access to that account?

Facebook has fairly robust procedures to confirm e-mail addresses, but do all oAuth login sources have this? Should I trust my admin account to them?

Taking the otherwise excellent oneall plugin as an example again, it offers a long list of sites it can authenticate against. Including, for example, Steam, Yahoo, Mail.ru and many others. Do *all* of these sites have robust procedures for validating e-mail? I’d be very surprised if every single one of them are immune to social engineering (e.g. by calling customer support and getting them to add a new e-mail address to your account details).

By using a social login plugin and allowing matching on e-mail ,it strikes me that you have just opened up the most valuable account on your server — it is now as strong as the weakest link in the chain on any of the above sites.

The same users who don’t notice this are likely to be the same users who allow in-dashboard theme editing and file uploading in WordPress. It’s not a very big step to go from there to owning their server.

3 thoughts on “Are oAuth login plugins that match on e-mail accounts really secure?

  1. If you have an excellent server support plan, it will let you send a support ticket instantaneously and get fast response.
    People, who are planning to use their own software,
    they must not choose this hosting service. These connections and resource sharing can even be made across different
    operating systems such as Unix, Linux and Microsoft Windows.

  2. May I just say what a comfort to uncover someone who actually
    understands what they are talking about on the web. You actually
    realize how to bring a problem to light and make it important.
    A lot more people must look at this and understand this side of the story.

    I was surprised you’re not more popular because you definitely possess the gift.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>