What's your understanding of oAuth (v2) - privacy or other

Discussion in 'privacy general' started by phkhgh, Dec 22, 2019.

  1. phkhgh

    phkhgh Registered Member

    Aug 17, 2007
    Have many Wilders users read up on oAuth's privacy or other concerning issues? As in, fine details about accessing data on your device (we'll protect it with our lives).

    Most articles I've read don't talk much about security, privacy of oAuth, but I haven't had that much time. Been busy.*

    My 1st experience w/ oAuth was 2017 on Github, when Mozilla Discourse was on there (I guess). Or use some of my Github acct data to login to Discourse. I contacted Github's support.
    They wrote back,

    Oh, they (who ever "they" was) only wanted to READ my email ADDRESSES & private profile info, in my settings? Well, SURRRE!! Why didn't they say so sooner? And here's all the digits in my SSN - scrambled. See if you can buy a house.

    Even if all they wanted was to read my email address(es) & profile, in THAT site's profile, about all they'd see is my notification email addy (which they could start spamming). That's not enough to prove who I am.

    Am I missing something about oAuth? Are users really going to let some company (oAuth provider) rummage around their computer or device personal data? I've read Google is supposed to be a leader in the newest, easier way to gather data on you - but other big players will get in if it's worth their time.

    I wouldn't let Google & their many clones carry a bag of used cat litter to the curb for me, much less "look around" in my computer. Unless the articles I read about oAuth are WAY off, I have a hard time believing fairly intelligent adults would let any entity do that.

    * Been busy checking that all personal credit history accts w/ big 3 Credit Reporting Agencies were frozen & adding extra "fraud alerts" to my accts.
    Dealing w/ several banks sending letters about my recent applications for credit cards - that I didn't apply for. One of the bank's letter about my CC applic., had a long-ass reference # and came to my address of 19 yrs.

    "Needed to speak to me." I called to straighten it out. AFTER I gave her the reference #, lady wanted me to give my full name, address, zip, last 4 digits of SSN & few other things, before they would "reverse" the hard credit pull they did on (my) actual credit history. If I was the fraud, how'd I get the letter? Why is your bank's credit pull in my Equifax acct?
    Did I wait by the mailbox of who I'm impersonating, steal the letter before the real Percival Shardglobs gets it? All this meaning, the crooks definitely have my SSN, full name & home address.

    I was polite, but said I'm not giving detailed personal data to someone that just sent me a letter. I don't have any business dealings w/ you. I'm certainly not giving even the last 4 of SSN to someone I don't know. Crime rings could send 1000's of letters like this. Besides, I gave you plenty of info to know I'm the real addressee of your letter.
    "Well, we're required by law to get this data before we can (basically, close it as fraudulent application).

    I asked if those laws came from the same people that allow huge for-profit corps to gather taxpayers private data, and charge them to look at their own data (if > 1x / yr); charge them a hefty amt to "freeze / unfreeze / re-freeze" their OWN credit history; make millions off selling OUR private data - to ANYONE, not just when we apply for credit??

    After the lawsuit & some of the fastest legislative changes ever, for $0 everyone can freeze / unfreeze / re-freeze their credit history and get several free credit reports/ yr.
    Take it from me & others I know personally that had attempts of identity theft. If you had any work / credit history before the Equifax breach in 2017 & you don't freeze all 3 CRA's accts (for free), there may be something wrong.

    It took about 2 yrs after the breach of the lovely CRA, Equifax, until crooks started in earnest using my stolen ID data.
    Early this yr (or last?) - after the breach, someone used our credit card - but only to buy a few $$ gas or car wash or cheap meal - several times in 1 mo. Somehow, all those debits were w/o a card present (so the stores reported). Crooks must know where to go to use stolen card #'s.

    The small, local purchases could've been from the Equifax breach or from someone using card skimmers at gas stations. I've read several places that thieves often buy small items on newly acquired cards or accts, to see if they work & no one notices.

    It won't matter if Equifax or Experian (from settlement w/ Uncle Sam) gives free (yea, "free") credit monitoring & identity theft insurance for 7yr or whatever it is. That data is out there forever & criminal rings will wait till you die if they have to.
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Oct 7, 2017
    Member state of European Union
    I don't fully understand oAuth at the moment, but it does not authorize oAuth provider to access to your PC. oAuth may let you authorize access to some resources on some public Internet service i.e. e-mail account. This access may be granted to your local e-mail client or some other company that would do something with resources you chosen to grant access to. Good thing about oAuth is that authorization can be easily revoked, but of course if you grant access to some resources for some company and that company copies that resources it will not be deleted by revoking access.
  3. phkhgh

    phkhgh Registered Member

    Aug 17, 2007
    I'm no expert on it, either. When you say,
    OK, maybe. How does reading an email acct (e.g., from Github or say, a lesser known site) prove my identity any better. Unless I've used the same address for yrs & frequent the site. If they get some of that info, we're squarely back to tracking & data mining.

    If they don't know how long the address has been active or how often you visit a site (maybe never since 1st registered), then it doesn't seem the best method of verifying a user. I think they'll want something much more identifying about you / your device.
    The whole process seems to me like a thinly veiled way to gather more data.

    When the oAuth (don't know the version) used on Mozilla Discourse offered, it wanted to read my Github email addresses AND profile. Which site you allowed it access to (or it suggested) and depending on what is in the profile or how many email addresses (just the names) are listed, the oAuth provider or the site seeking authorization could get a bit of data.

    This is fairly old, but the data discussed may still work the same in oAuth 2:
    Another response said they did get the email address.
    I don't know why users would put their real name, gender, DOB, self image in an email acct (or Github) but some do.

    What do you think they would want to access, to have confidence in the token? issued would reliably identify you?
    I'm not sure if you're correct or not. Most of what I find speaks in general terms.

    This was written 2014, but still has some value https://mortoray.com/2014/02/21/the-dangers-of-oauthsocial-login/
    * I'm not sure of the author's meaning by, "all the applications ever authorized."
    Whether the current specs would allow provider employees to access authorized applications to infinity and beyond, or not.

    Another site - little blip (Google - & their oAuth / OpenID Connect) https://developers.google.com/identity/protocols/OpenIDConnect#scope-param
    Well, what could possibly go wrong with any of that on 100's of 1000's of sites?
    Equifax & Capital One could give training on how to protect users' data.

    If these new(er) methods to login aren't forced to drastically limit what they can access (and who enforces that?), it'll be worse for non-technical users than before.
  4. mirimir

    mirimir Registered Member

    Oct 1, 2011
    I would not go anywhere near OAuth. For any reason.
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Oct 7, 2017
    Member state of European Union
    I think this discussion would be hard, because oAuth may be used to many completely different things. Registering to one service using already created account on other service is just one way. In this case I of course support using old-school login and password. For other things like authorizing my local e-mail client such as Thunderbird to retrieve messages from my i.e. Gmail account it is fine.
  6. phkhgh

    phkhgh Registered Member

    Aug 17, 2007
    @ mirimir,
    (1) I don't know if that'll be possible in some cases, unless you change banks, if most start using oAuth in some way. Just like when users create any online acct or install software, they're responsible for reading AND understanding the ToS and Privacy Policy.
    Many policies are so long, use vague and complicated language that I don't know how "average" users with little experience or training in reading legal documents could ever completely understand them.

    I don't have enough info or understanding of most, much less all oAuth use scenarios (as reasonablePrivacy pointed out). I've read technical articles (e.g., by Google - how to use oAuth 2 & ConnectID (I think that's what Google calls it). A document like that isn't going to point out what could be misused or abused - intentionally or not, or what can go wrong.

    I've read blog or computer / internet news sites type articles. They're usually pretty generic. If they discuss potential privacy or security problems - for consumers, they often don't give enough details (that most users could understand if they're really interested).

    @ reasonablePrivacy - I couldn't agree more. But someone or some organization has to start somewhere, researching & reporting what users need to be aware of in given scenarios.

    One thing I HAVEN'T found so far, are lots of layman's terms articles, showing what data could be gathered by the oAuth provider or the site asking for authorization; or details on storing oAuth (or similar) gathered data or issued tokens, etc. They sure have policies about email service, but from what I've seen, not many are asking about oAuth or other verification / authentication processes.

    If it's SO complicated - when & how users are supposed to know to avoid one scenario vs. another, or stop their registration or login process & wait for more details or explanation on ALL the data that could be accessed, most users will throw up their hands. Kind of like we now let agencies spy on every citizen. According to the courts, violating the Constitution in the process.

    In the admittedly few "live" oAuth login / registration instances I've seen directly, the info or details provided in a popup, wasn't clear on exactly what data might be accessed.

    Some articles / demos indicated that from very little - to a lot - of data could be acquired by the provider and / or the service provider. Maybe I'll see if Google has written policies as an oAuth provider or as a service needing user verification.

    Another thing I doubt many users consider is the comment I quoted, about sites have to securely store tokens (if used - as one method). The more data that tokens contain, the more valuable they become to hackers. AT&T just implemented oAuth - for email clients only.

    I looked but haven't found anything stating their process, what user data is accessed, how long it's stored - by what method.
    Email client developers may know some of that (or not) - I haven't seen anything. They are very conspicuously silent on details of verification.

    For AT&T email client users that aren't oAuth ready (or other issues), they forced those users to change from client PWs, chosen by USERS or software - 24 ch (max), using upper / lower case alpha, 0 - 9 numeric and a few special characters. They now force non-oAuth users to accept AT&T generated, 16 ch "secure keys," apparently using only lower case letters. No upper case letters or numbers or special characters.

    One wonders why they allowed more secure email client PWs for years, then drastically reduced PW strength at the same time oAuth is introduced (no details how it's used). They did NOT change PW policy for web mail.

    It's like they REALLY want customers to use oAuth - for some mysterious, punishing email client users' security if they don't. Probably goodbye to AT&T email - only used for recovery, junk accts, anyway. Na na na na, hey hey hey...

    Thunderbird & AT&T are at odds over some security certificate issue. Fortunately, I rarely use AT&T email & not for anything important. I could close all their accts. I don't know if I'd have used oAuth if it worked in Tbird, because AFAIK NO one gave any details - what data would be accessed; how it's used / stored (if applicable).

    Saying, "read email addresses" is vague. MY own addresses, or also my contacts? Think it's absurd to question that? For decades, Gmail scanned email content of non-gmail users that replied to Gmail customers (as many other email providers). Non-gmail users didn't agree to Google terms & in any court of law, wouldn't be expected to know Gmail's policies. (Yes, they could've easily not scanned - for content & ad delivery - all mail from non-gmail addresses.)

    If Equifax that held almost every piece of important financial, personal & job data known to man, on hundreds of millions of people in several countries, lost almost ALL of the critically private data, what are the odds of most companies or small web sites protecting data - if it's more useful to crooks than just email addresses & (hashed) passwords?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.