Thousands of websites vulnerable to account takeover, security specialists warn

Flaws in social login mechanisms are leaving thousands of websites and a billion of their users vulnerable to account takeovers, API security company Salt Security warns. Vulnerable implementations on Grammarly, Vidio, and Bukalapak have already been remediated.

The latest research by Salt Security identified flaws in the access token verification step of the social sign-in process, part of the OAuth implementation on these websites.

OAuth is like a digital key that allows websites or apps to access certain information from another service with “one-click,” without needing a password. Favored across both websites and users, OAuth makes verifying user identity easy by tapping into their social media accounts, such as Google or Facebook.

However, for this type of login, sites must verify the provided token to approve access, something which many fail to do. As a result, the Salt Labs researchers were able to insert a token from another site as a verified token and gain access to user accounts. This technique is called a “Pass-The-Token Attack.”

“The vulnerabilities could have impacted nearly a billion user accounts across these three sites,” researchers warn.

The identified vulnerabilities allegedly allow criminals to access user accounts on dozens of websites, including banking, payment, and other sensitive data. Hackers could also perform any action on behalf of that user, leading to identity theft and financial fraud.

Examples include Grammarly, Vidio, and Bukalapak

According to the report, multiple online companies remediated such flaws after coordinated disclosure. However, thousands of other websites use the exact sign-in mechanisms, leaving them vulnerable to the same type of attack. This puts billions of individuals around the globe at risk.

Vidio: An online video streaming platform with 100M monthly active users, offers a range of content, including movies, TV shows, live sports, and original productions. Salt Labs’ researchers discovered OAuth security vulnerabilities when logging in through Facebook.

“Because the site did not verify the token, which the website developers must do, and not OAuth itself, an attacker could manipulate the API calls to insert an access token generated for a different application. This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts,” researchers said.

Bukalapak: With more than 150 million monthly users, Bukalapak is one of Indonesia’s largest e-commerce platforms. It also failed to verify the access token when users registered using a social login.

“Therefore, by inserting a token from another website, the Salt Labs team could access a user’s credentials in and completely take over that user’s account,” the report reads.

Grammarly: This AI-powered writing tool improves more than 30 million daily users writing by offering grammar, punctuation, spelling checks, and other writing tips. However, researchers from Salt Labs were able to manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user’s account and achieve a complete account takeover.

“OAuth is one of the fastest adopted technologies in the AppSec domain and has quickly become one of the most popular protocols for both user authorization and authentication,” said Yaniv Balmas, VP of Research, Salt Security. “The Salt Labs research illustrates the potential impacts that OAuth implementation issues can have on a business and its customers.

The Salt Security State of API Security Report, Q1 2023, showed a 400% increase in unique attackers in the last six months. 43% of respondents were highly concerned about account takeovers.

More from Cybernews:

Social media is drowning in misinformation on the Israel-Hamas conflict

Experiment: AI explains why my ex ghosted me

Researchers find LLMs printing copyrighted materials from books like Harry Potter

ASVEL Basket confirms data breach

Thirty-four cybercrooks who stole data of 4 million people arrested in Spain

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked