How the Google and Facebook outages could impact application security
With major outages impacting Gmail, YouTube, Facebook and Instagram recently, consumers are right to be concerned over the security of their private data. While details of these outages haven’t yet been published – a situation I sincerely hope Alphabet and Facebook correct – the implications of these outages are something we should be looking closely at.
The first, and most obvious, implication is the impact of data management during outages. Software developers tend to design their test suites around proper functionality – does the product or feature operate as expected. Negative testing or characterizing behaviors in the face of adversity may not be part of the test suites run during normal release cycles.
During any service outage the potential to leak data increases. This leakage might simply be within an application log, an error message, or a status returned from a service. This is independent of any level of malicious attack which might be in progress during the outage. In other words, application developers might simply be placing some data into debug statements which should be protected.
The second implication is on downstream services. A downstream service is any service which consumes or leverages data from the system experiencing an outage. For example, if your organization publishes your support videos on the YouTube platform, an outage impacting YouTube could impact your customer satisfaction and potentially your bottom line. Similarly, if you’re using a social media platform as a means of customer engagement, outages could directly impact revenues. Effectively, the service reliability of your data partners can directly impact your reputation in the market.
My third implication speaks to how interconnected our digital world has become. An increasing number of websites now use a social media login instead of requiring a username and password combination. Anyone who’s seen a ”Login with Facebook” button will recognize this model. One huge benefit we see with this is that websites which might have previously implemented custom insecure authentication methods, or have suspect encryption for stored passwords, can securely manage passwords for their users by simply not storing them in the first place.
With a social media login, the login provider handles password management and returns an access token representing the user to the website hosting the login button. Using “Login with Facebook” as an example, users enter their credentials into a web page owned by Facebook. Facebook generates an access token for the user on that website and returns it to the website. The website then is able to use that access token to obtain public information on the user, such as their name and avatar icon.
This process increases overall password security by transferring password management to the social media provider. It also works very well – up until the social media provider has an outage. When that happens, the ability to validate the access token could also go offline at which point users won’t be able to access any data or services behind accounts they’ve protected by such logins.
Luckily the outages we’ve seen have only been a few hours long, but this should serve as a call to action for everyone to review precisely where they’re using their social media logins and what services they’re obtaining data from. When an outage occurs, we shouldn’t take for granted that the security of our information is protected and should take the opportunity to both reset our passwords used on social media platforms and to revoke and reauthorize our access tokens issued by those same platforms. Doing both of these items will minimize the chances of a malicious group benefitting from any service outage and gaining access to our personal data.