{"id":1066,"date":"2014-05-02T19:59:39","date_gmt":"2014-05-02T23:59:39","guid":{"rendered":"http:\/\/mikemartinezonline.com\/blog\/?p=1066"},"modified":"2014-05-02T20:11:02","modified_gmt":"2014-05-03T00:11:02","slug":"serious-openid-and-oath2-0-flaw-revealed","status":"publish","type":"post","link":"https:\/\/mikemartinezonline.com\/blog\/2014\/05\/02\/serious-openid-and-oath2-0-flaw-revealed\/","title":{"rendered":"SERIOUS OpenID and OAth2.0 flaw revealed"},"content":{"rendered":"<p><a href=\"https:\/\/mikemartinezonline.com\/blog\/wp-content\/uploads\/2014\/05\/skull.jpg\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"skull\" alt=\"skull\" src=\"https:\/\/mikemartinezonline.com\/blog\/wp-content\/uploads\/2014\/05\/skull_thumb.jpg\" width=\"244\" height=\"173\" border=\"0\" \/><\/a><\/p>\n<p>Okay folks ANOTHER security issue you should be aware of.<br \/>\nA bug has been found in OpenID and OAuth 2.0, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Read <a href=\"http:\/\/www.cnet.com\/news\/serious-security-flaw-in-oauth-and-openid-discovered\/\">here<\/a> and <a href=\"http:\/\/redmondmag.com\/articles\/2014\/05\/02\/oauth-and-openid-flaw-found.aspx\">here<\/a> too<\/p>\n<p>OAuth\u2014and its alternative OpenID\u2014let you log into sites or apps using your Google, Twitter, Facebook, or other credentials, without having to create yet another account or give the app more permission than necessary. OAuth and OpenID, in essence, authenticate you with the site or tell the site you are who you say you are and let you log in without having to enter a username and password.<\/p>\n<p>For example; logging into LinkedIn you are asked if you&#8217;d like to use your Google or Facebook account credentials. Then you enter said credentials (FB or Google) and you can then get on because they then &#8216;authenticate\/use&#8217; your other credentials. You see this all the time on news sites and blogs &#8211; if you&#8217;d like to comment or post you&#8217;re asked for some sort of &#8216;authentication&#8217; usually Google, Yahoo, Hotmail or Facebook etc..<\/p>\n<p><strong>THAT&#8217;S why I live by the mantra &#8211; use different credentials (username AND passwords) for EVERY site you login to!! AND NEVER &#8216;LINK&#8217; ANY ACCOUNTS!<\/strong><br \/>\nThough this may seem difficult given the amount of our lives that are now &#8216;online&#8217; it is not that hard if you use an app\/service like <a href=\"https:\/\/lastpass.com\/\">LastPass<\/a> or <a href=\"http:\/\/keepass.info\/\">KeePass<\/a>. I NEVER use any \u2018other\u2019 account to login to any services \u2013 ever. Every account gets it\u2019s own credentials. That way if one is compromised no other one will be.<\/p>\n<p>Please be safe out there folks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Okay folks ANOTHER security issue you should be aware of. A bug has been found in OpenID and OAuth 2.0, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Read here and here too OAuth\u2014and its alternative OpenID\u2014let you log into sites or apps using your &hellip; <a href=\"https:\/\/mikemartinezonline.com\/blog\/2014\/05\/02\/serious-openid-and-oath2-0-flaw-revealed\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;SERIOUS OpenID and OAth2.0 flaw revealed&#8221;<\/span><\/a><\/p>\n","protected":false},"author":587,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[50,21,13],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/1066"}],"collection":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/users\/587"}],"replies":[{"embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/comments?post=1066"}],"version-history":[{"count":2,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/1066\/revisions"}],"predecessor-version":[{"id":1069,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/posts\/1066\/revisions\/1069"}],"wp:attachment":[{"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/media?parent=1066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/categories?post=1066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikemartinezonline.com\/blog\/wp-json\/wp\/v2\/tags?post=1066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}