The price of logging in with Facebook, Google is bluff

When giving an application or website the right to log in with a Facebook or Google account, the user gave away the key to open his secret box.

In early October, Meta issued a warning that a million Facebook users may have been compromised by 400 malicious applications that are sophisticatedly designed to hand over user credentials. This is quite familiar: when downloading an application or accessing a website, developers often ask users to register for an account, or will ask: "Do you want to log in with your Google or Facebook account".

With just one click, users can comfortably use the service. But the price of convenience is that you might inadvertently allow someone access to your most private trove of data. This is a common trick of scammers, but many people still fall into the trap.

Users should protect and control their Google and Facebook account login rights. Photo: WSJ

Risks of the "login" button

Example with iCIMS platform. It has 2.4 million users and is used by big companies like Microsoft, Uber, UPS, Target and IBM to recruit staff. The problem is that when uploading an online resume to Google Drive, a message appears: "This will allow iCIMS to view and download all your Google Drive files". Many people may not notice and ignore, but on Google Drive not only documents are stored, but also photos, videos, tax returns and many other sensitive personal information. Just by uploading a resume, users have to trade off too much private data.

Al Smith, chief technology officer of iCIMS, said that they currently do not rummage through users' information files beyond what they upload to the platform. However, technology experts realized, the platform is still asking for access to all files on Google Drive. Smith argues this is a "standard connection managed by Google" and the only way to share Drive files when iCIMS creates its website.

A Google spokesperson told the WSJ that users still have the right to "choose and control" data sharing in the terms, but in reality people just click yes without paying much attention to the text pages. lettered version.

The first risk of logging in with Facebook, Google is that many fake websites and applications can easily steal users' accounts and passwords. Second, anyone who hacks into a user's Google or Facebook account will also have access to the apps and websites they're logged into. Third, Google and Facebook can still use "user-permitted" permissions when logging in to track even when they are not using the platform.

When should logins be allowed?

According to Bogdan Botezatu, Director of Threat Research and Reporting at security firm Bitdefender, asking for a login is not always a bad thing. If it is a legitimate website or service, users need not worry too much.

For example, some people still log into Zoom via their Google account. The app will ask for access and calendar permissions and execute some commands automatically. "But a conundrum is how do you know when this is and isn't allowed?" asks Jen Caltrider, privacy project lead at the nonprofit Mozilla. ask. Even being an expert in this field, not everyone is 100% sure of their choice.

More and more companies hide they are doing business based on the collection of user data. In 2018, Google was criticized for hundreds of apps trying to access people's Gmail content to provide services like price comparisons and automated travel scheduling. Even the company's machine learning and employee training apps can read users' emails. Facebook has even more policy violations. In 2019, the company had to pay a $5 billion fine after the Federal Trade Commission investigated its partner Cambridge Analytica's access to users' personal data.

How to check where logged in

Both Google and Facebook allow users to check which websites and applications they have logged into their accounts. Users should regularly update and manage this list.

With Google, users can view the list in the control center section. All third-party apps signed in with the account are displayed. They reserve the right to revoke login permission from this hub.

With Facebook, users can log in to their account, open the associated website and app settings, and remove the account from where they were logged in. In addition, the social network also offers a feature that automatically disables connections after 90 days of inactivity.