Failure to verify OAuth tokens enables account takeover on websites
If that site is an e-commerce platform like Bukalapak, the user might have billing and payment information stored in their profile. If it’s a service like Grammarly, the user might have sensitive documents and so on.
Other variations and implementation oversights
OAuth is a complex standard and allows for various implementation variants. For example, instead of using redirect URLs between the site and the identity provider, the site might choose to use the PostMessage feature, but the attack is still possible in such an implementation if the token is not validated.
Passing tokens via URLs is potentially vulnerable to man-in-the-middle attacks if an attacker has the ability to passively monitor traffic and just extract the OAuth token from the URL they observe. Because of this, OAuth also provides a more secure approach where the identity provider issues a one-time code instead of an access token, then the website takes that code together with an application secret only itself and Facebook knows and exchanges the code into a token using the Facebook API.
Grammarly actually used this more secure code-based approach when the Salt Security team tested its OAuth implementation. However, the researchers saw the Grammarly OAuth script took requests with the entry code in the request and wondered if it may include a function that takes tokens as well. Therefore, they tried making requests by replacing code with different words like token, facebookToken, FBtoken and different variations, until they found that access_token worked and was accepted.
In other words, they managed to downgrade Grammarly’s implementation to the more secure variant because the code to handle tokens directly instead of code was still left in the script as an option. And it turned out, there was no token validation step to check for the app ID.
The Salt Security researchers found other OAuth implementation flaws in major websites in the past, including some that could have given attackers access to Booking.com accounts. “It’s extremely important to make sure your OAuth implementation is secure,” the researchers said. “The fix is just one line of code away…. When OAuth is used to provide service authentication, any security breach in it can lead to identity theft, financial fraud, and access to various personal information including credit card numbers, private messages, health records, and more, depending on the specific service being attacked.”