I recently tested an application to determine its usefulness and fitness for purpose. As with several other applications experimented with over the years, this one included the option to integrate directly with other systems; in this case one of the social media platforms. In the settings, an option was available to add the user name and password so that the application could connect to access data directly. This is not a new concept and I have come across many such examples over the last 20 years including:
- Banking applications which allow connections to several bank accounts so that a complete financial status can be viewed from a single dashboard.
- Apps that connect to file storage systems, such as to catalogue songs and create playlists.
Putting the usefulness of such functionality to one side, there are clearly security implications here. Firstly, let’s not confuse this with single sign on (SSO) capability. There are many sites and applications that integrate with Facebook and Google for logon purposes, but when signing in with Facebook or Google, the apps don’t have direct access to the logon credentials. The quantity of data shared through this process has been controversial and has drawn vast media attention. However, the focus here is on cases where applications ask for logon credentials to be entered and stored for subsequent use, and where the application has direct access to the credentials. Essentially, this is giving permission for the application to access other systems. By extension, giving human access to other secure systems.
How do you know what these applications are going to do with your logon credentials? The logon credentials could be stored securely, but could just as easily find themselves stored in plain text in a database with little or no security. This depends much on the credibility of the vendor and the developers. Applications can easily be custom made to offer something useful to a wide audience, with the hidden agenda of capturing user credentials given willingly by their users.
Even assuming there is no malicious intent at all behind the development of applications, there is the issue that banking organisations and social media platforms invent significant resources in improving cyber security, and for credentials to be given to apps that may have been developed by a small business or one person with very limited resources or cyber security capability.
Here are some options to reduce the risks:
- Don’t give 3rd party user credentials to apps, websites or other services
- Exercise vendor and application due diligence before adding 3rd party user credentials
- If 3rd party application integration is essential, consider creating a dedicated account to use. Depending on the purpose, this may or may not be a viable option.
Popular advice is to never share your username and password with anyone. Sharing your usernames and passwords with 3rd party applications can have the same or worse consequences.