The critical API security flaws in the social sign-in and OAuth (Open Authentication) implementations affected high-profile companies like Vidio, Grammarly, and Bukalapak.
- Salt Security’s Salt Labs research team has identified vulnerabilities in the social login implementations of three popular websites.
- These vulnerabilities can expose over a billion user accounts to account hijacking and data leakage, given that social login is a standard feature found in almost all major and non-major websites.
- Eighty percent of the targets Salt Labs’ investigated contained security flaws concerning social login features.
- Researchers have revealed a small set of impacted targets.
- This discovery highlights the risks associated with social login functionality.
The leading API security firm, Salt Security’s Salt Labs research team, has identified critical API security flaws in the social sign-in and the OAuth (Open Authentication) implementations of several high-profile online firms, including Vidio, Grammarly, and Bukalapak.
Investigation revealed that through Pass-The-Token Attack, a threat actor could exploit the vulnerabilities, gaining unauthorized access to a user’s accounts on dozens of websites and access their credit cards, bank accounts, and other sensitive data.
For your information, OAuth is a widely used authentication method. Many websites and web services use it to enable the user-friendly one-click login process. Moreover, through OAuth implementation, users can log in to their social media accounts, such as Facebook or Google, to register on a website instead of creating a new login ID and password.
The vulnerabilities were detected in the social sign-in process’ access token verification step. It is a crucial component of the OAuth implementation on websites. The issue occurred due to improper token verification in the process, allowing adversaries to obtain unauthorized access.
In a blog post, Salt Labs Security Researcher Aviad Carmel wrote that their research team could exploit this flaw through the Pass-The-Token Attack, which involves inserting a token from another website to gain access to user accounts.
Vulnerability Impact on Vidio.com
On the Vidio website, researchers discovered the vulnerabilities while logging in through Facebook. The website (Vidio.com) didn’t verify the token or OAuth itself, which is a glaring flaw, allowing manipulation of the API calls to insert an access token created for another application. This alternate token-AppID combination allowed researchers to impersonate a user on the website and get the opportunity to take over thousands of accounts.
Vulnerability Impact on Bukalapak.com
One of Indonesia’s largest eCommerce platforms, Bukalapak’s website, also failed to verify the access token when users registered with a social login. Salt Labs team inserted a token from another website and was able to access a user’s credentials from the website, obtaining full control of the account.
It is worth noting that in May 2020, a hacker was discovered selling user data belonging to 13 million Bukalapak user accounts.
Vulnerability Impact on Grammarly
The researchers observed the AI-powered writing tool Grammarly.com website to learn the site’s code-sending terminology. Afterward, they could manipulate the API exchange to insert code used to verify users on a different website and successfully obtained user account credentials and performed account takeover.
Following the coordinated disclosure practice, Salt Labs researchers notified all three sites, and the issues have now been addressed. They believe the vulnerabilities could have impacted at least a billion accounts associated with the three affected sites.
The flaws although have been addressed but could have exposed sensitive login details and allowed adversaries to launch versatile range of attacks. This is a shocking discovery because thousands of websites use social sign-in functionality and billions of users worldwide could be at risk of threats like identity theft and financial fraud.
Social Login is a very common feature that is implemented on almost every major (and non-major) web service. Around 80% of our targets included some kind of security issue related to social login functionality. The impact is that we were successfully able to take over more than 1 billion accounts across all the targets, which includes the ones identified in this research plus many others.Yaniv Balmas – VP of Research at Salt Security
Dicussion at SecTor
Aviad Carmel and Yaniv Balmas of Salt Security will be hosting a speaking session titled: Uh-OAuth! – Breaking (and Fixing) OAuth Implementations” – Wednesday, October 25, 4:00-5:00pm, Meeting Room 718A.
For your information, SecTor is a Black Hat conference that focuses on underground threats and corporate defenses. It is held annually in Toronto, Canada. The conference is known for its high-quality speakers and attendees, and it is a must-attend event for anyone interested in the latest information on security threats and defenses. SecTor 2023 will be held October 23-26, 2023 at the Metro Toronto Convention Centre.
- 12-Year-Old Windows Defender flaw risked 1 billion devices
- Cybersecurity firm exposes 5 billion data breach records online
- DreamHost hosting firm exposed almost a billion sensitive records
- Credential Stealing Flaw in Google Chrome Impacted 2.5 Billion Users
- Online trading broker FBS exposes 20TB of data with 16 billion records
- Brazilian marketplace integrator Hariexpress exposed 1.75 billion records