Salt Security has revealed research unveiling critical API security vulnerabilities in the OAuth protocol implementations of popular online platforms like Grammarly, Vidio and Bukalapak.
These vulnerabilities, which have now been addressed, had the potential to compromise user credentials and enable full account takeovers, endangering billions of users.
The research paper, published today, marks the final chapter in Salt Labs’ OAuth hijacking series, building on earlier discoveries of vulnerabilities in platforms like Booking.com and Expo. The identified weaknesses centered on the access token verification process in the OAuth protocol.
These flaws posed severe risks, including providing cyber-criminals unrestricted access to user accounts, potentially resulting in unauthorized access to sensitive financial and personal information. They also exposed users to potential identity theft and financial fraud.
OAuth, a widely adopted user authorization and authentication technology, simplifies the sign-in process by allowing users to log in to websites using their social media accounts. The security flaws in these implementations enabled attackers to insert a token from another site as a verified token, a technique referred to as a “Pass-The-Token Attack.”
“The thing that stood out most in our research is the fact that OAuth, which is the main technology behind social-login, is actually well designed and contains no obvious fail-points. However, most of the issues we found were related to the way OAuth is implemented by the various parties using it,” explained Yaniv Balmas, vice president of research at Salt Security.
Read more on OAuth-related news: Hackers Deploy Malicious OAuth Apps to Compromise Email Servers, Spread Spam
The affected platforms mentioned in the latest Salt Security report (Vidio, Bukalapak and Grammarly) have since taken steps to resolve these security vulnerabilities after being alerted by Salt Labs’ researchers.
“Each one of us logs in to dozens of web services on a daily basis,” Balmas added. “The issues we found affect[ed] more than one billion users who might have found their accounts breached had this issue been found by other, ‘less friendly’ parties.”
Image credit: T. Schneider / Shutterstock.com