Millions of Google Gmail users have been issued with a serious warning.

 Gmail is the most widely used email service in the world, as well as one of the most secure. However, a potentially dangerous exploit may cause you to reconsider how you wish to use the service in the future.

Security researcher Youssef Sammouda revealed in an eye-opening blog post that Gmail's OAuth authentication method allowed him to attack weaknesses in Facebook to hijack Facebook accounts when Gmail credentials were used to sign in. And the ramifications are far-reaching.

Sammouda told The Daily Swing that he was able to hack into accounts by exploiting redirects in Google OAuth and combining them with aspects of Facebook's logout, checkpoint, and sandbox systems. Google OAuth is part of the 'Open Authorization' standard, which is utilized by Amazon, Microsoft, Twitter, and other digital heavyweights to allow users to link their accounts to third-party sites by signing in with their existing identities and passwords.

 

Other email accounts used by Sammouda reveal no vulnerabilities. He does say that it may be used more broadly, "although that was more difficult to design an exploit for." He claims Facebook paid him a 'bug bounty' of $44,625 for its part in the vulnerability. Following that, Facebook patched the vulnerability on their end. I've reached out to Google for comment on the involvement of Google OAuth in the vulnerability, and I'll update this page whenever I hear back.

Malwarebytes Labs, a security firm, issued a warning to anyone who uses connected accounts in response to Sammouda's findings: Pieter Arntz, the company's Malware Intelligence Researcher, writes, "Linked accounts were developed to make logging in quicker." "You can log in to different apps, websites, and services using the same account... To gain access to the account, simply confirm that it belongs to you."

"We wouldn't advocate that because if the one password that controls them all is compromised, you'll be in even more danger than if only one site's password is compromised," he explains.

If you're worried about the security of your linked accounts, you can unlink them from Facebook. To access Accounts & Profiles, go to Settings & Privacy > Settings > Accounts Center button > Accounts & Profiles. If you are currently signing into third-party sites with Amazon/Google/Microsoft/Twitter credentials, a similar unlinking technique can be used.

All of this creates a severe security vs. convenience dilemma. After all, while it was Gmail credentials this time, other OAuth partners might be next. You have been warned, regardless of your choice.