Security researchers from the Chinese University Of Hong Kong have discovered a way to target a huge number of Android apps that could allow them to remotely sign into any victim's mobile app account without any knowledge of the victim

.
They discovered that most of the popular Android apps that support single sign-on (SSO) service have implemented OAuth 2.0 the awfully wrong way.

OAuth 2.0 is an open standard for authorization that allows app users to log in to other third-party services by verifying existing identity of their Google, Facebook, or Microsoft Accounts.

This process enables users to sign-in to any service without providing additional usernames or passwords.

How are app developers supposed to implement OAuth? (The Right Way)



Usually when a user signs into a third party app via OAuth, the app verifies with the ID provider, let’s say, Facebook, that it has correct authentication details. If it does, OAuth will receive an 'Access Token' from Facebook which is then issued to the server of that mobile app.

Once the access token has been issued, the app server asks for the user's authentication information from Facebook, verify it and then let the user sign in with his/her Facebook credentials.

How most app developers are really implementing OAuth? (The Wrong Way)



The researchers found that the developers of a massive number of Android apps did not properly verify the validity of the information sent from the ID provider, like Facebook or Google.

Instead of verifying OAuth information (Access Token) attached to the user's a


Read more: http://www.istylmagazine.com/news/technology/over-a-billion-apps-can-be-hacked-with-this-simple-hack/

Well let's just say we are bleeped with the knowledge of this glitch in Chinese' hands.


I said Bleep.ed and not a fucking sound.