These researchers scanned multiple Google apps on the US and Chinese app store and found a serious loophole.
This flaw resides in the way OAuth 2.0 is implemented in these apps.
If these credentials are identical then OAuth gets an access token from the ID provider.
This lets the app allow the user to login using their Facebook or Google credentials.
Unfortunately, using this approach can lead to a serious threat in the Android app ecosystem.
Often, the app server would only check for the user ID retrieved from the ID provider.
source: www.techworm.net
