Over the last few months I’ve been working on discovering the functionality of the OAuth standard. OAuth (Open Authorization) is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically a username and password.
So lets assume some third-party website like Dropbox wants to import your photos from Facebook. The way this would work is Dropbox would first redirect you to Facebook.com. If you had been logged into Facebook already it would ask you to allow the Dropbox website access to your Facebook information, in this case your photos. If you had not been logged in it would ask you to log into Facebook as usual and then would continue as stated above. Once you had allowed Dropbox access, Facebook would redirect you back to the Dropbox page and the download of your photos would begin.
If you look closely you never had to give your Facebook username and password directly to Dropbox. Instead, you tell Facebook that you want to share information from your profile with the Dropbox application. What really happens is you are allowing Facebook to give Dropbox a unique key that they use to access to your profile. This allows developers to create secure applications that connect with your digital life without them needing to store and keep track of sensitive information such as your Facebook credentials
Sadly the OAuth standard is not widely used, even after huge attempts by Facebook and Google to convince developers to use it, many developers still find OAuth cumbersome or just a pain. Mind you that it has got better in recent years and every month more and more developers begin to use OAuth as the standard for gaining access to third-party sites. However, a large number still use very insecure methods in which your user credentials might be sent over the internet in pain text. A beginner hacker with the right tools could easily sniff the connection and gain access to your important information.
To keep yourself safe always look to see if you are being redirected to the actual site for login and be weary of typing your user credentials on third-party sites. For example, if Dropbox is asking you for your Facebook credentials on their site they are likely not using OAuth. Ultimately to stay secure online always be cautious of where you type your username and password. No website would ever ask you to send your credentials over the internet and with your help we can convince developers to obey standards that allow them to send your credentials over the web in pain text or even worse store them on their site. Remember to always be safe online and as usual take care of your computers.