Google mass logout riddle deepens: OAuth token fumble blamed The baffling mass logout of Google accounts last week was the result of accidental OAuth token invalidation, a cause Google acknowledged, but only to a subset of those affected. On February 24, an unknown number of people who had been logged into their Google accounts found they had been logged out and had to re-authenticate …
This happened to me too, around 9am (AU time) I received a notification stating one of the two gmail accounts on my phone had been logged out, approx. 4 hours later the second account did the same.
Assumed it was some token getting nuked from orbit due to a security issue, or perhaps in a far less existing but more likely scenario, fat fingers as they say.
Are you a software developer? If not, how would you know. I mean, sure it's a bit weird that in most implementations to have to post the token request formatted application/x-www-form-urlencoded and read a response formatted as application/json. But overall it's more secure than transmitting the password over and over and easier to implement that proprietary protocols. After the authorization it's very very easy to include that token, whether it is by cookie, header or what have you. Middleware is very easy to find too.
What exactly about OAuth is shit?
P.S. If you're looking this up, the OAuth in question is actually OAuth 2.0.
I'm a Infrastructure guy rather than a dev, but have come across OAuth for hybrid Microsoft stuff and SfB / Exchange integration. Seemed easy enough to make it work.
At a very high level, for someone who's an admin rather than a dev, is OAuth comparable to a sort of web-friendly Kerberos? Tickets/tokens shared rather than credentials?
Really felt like a OAuth token being revoked. I also believe it is consistent with what happened with the Google WiFi.
Google has built a more secure WiFi product that has a hardware token inside. It uses your OAuth/Google account with the hardware token. If integrity is broken then a reset is a reasonable course of action.
I saw all of my G devices logout, and this was timed when one of my 5X handsets had died, and I was in the process of recovering data and then RMA'ing it.
Mostly this was an inconvenience, and did initially raise an alarm as I was the account section checking if I'd gained another login elsewhere (I'd hope not, I use 2FA).
What worries me more is the OnHub resets! I don't have one, and personally this just adds to why I won't get one. "Key" infrastructure devices, ala routers should not be subject to the whim of an external 3rd party at all, error or otherwise. At worst I'd expect them to sever connections with the Cloud and request you log back in again, but NOT reset and take all the config with it....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
