I’ve been playing with the oneall social login plugin for WordPress, to ensure it works well with WP-United. So far it seems to be excellent… but…
By default, the plugin’s settings are such that, after you’ve created an account via a social network login, it tries to link your login to an account that already exists on your site.
This sounds like a nice idea… it means that you don’t end up with two accounts. However, it does this by matching to existing accounts on your e-mail address. And it does it silently — if it finds a match, it doesn’t ask for a password for the existing account.
It’s not only this plugin — a lot seem to do this.
This post is a question, rather than a solution: How is this secure? What is stopping someone from changing their e-mail address on a social site to firstname.lastname@example.org, and gaining passwordless access to that account?
Facebook has fairly robust procedures to confirm e-mail addresses, but do all oAuth login sources have this? Should I trust my admin account to them?
Taking the otherwise excellent oneall plugin as an example again, it offers a long list of sites it can authenticate against. Including, for example, Steam, Yahoo, Mail.ru and many others. Do *all* of these sites have robust procedures for validating e-mail? I’d be very surprised if every single one of them are immune to social engineering (e.g. by calling customer support and getting them to add a new e-mail address to your account details).
By using a social login plugin and allowing matching on e-mail ,it strikes me that you have just opened up the most valuable account on your server — it is now as strong as the weakest link in the chain on any of the above sites.
The same users who don’t notice this are likely to be the same users who allow in-dashboard theme editing and file uploading in WordPress. It’s not a very big step to go from there to owning their server.