API security company Salt Security has released new threat research from Salt Labs, which highlights API security vulnerabilities found in the social sign-in and Open Authentication (OAuth) implementations of multiple online companies. The flaws, discovered in Grammarly, Vidio, and Bukalapak, have since been addressed, but they could have potentially led to credential leakage and enabled full account takeover (ATO). According to Salt Labs, thousands of other websites that use social sign-in mechanisms might also be vulnerable to the same type of attack, putting billions of individuals at risk worldwide.
This research is the third and final report in the Salt Labs OAuth hijacking series, following vulnerabilities found in Booking.com and Expo earlier this year.
The recent research identifies flaws in the access token verification step of the social sign-in process, which is part of the OAuth implementation on the affected websites. These vulnerabilities could have impacted almost a billion user accounts across the three sites.
Cybercriminals could have gained complete access to a user’s accounts on multiple websites due to the identified vulnerabilities. This could potentially result in unauthorized access to sensitive data, identity theft, and financial fraud.
OAuth is a widely used technology across websites and web services that enables a “one-click” login by allowing users to verify their identity and register on a site using their social media accounts, such as Google or Facebook, instead of creating a unique username and password. However, in these cases, the websites failed to verify the access token, allowing Salt Labs researchers to insert a token from another site as a verified token and gain access to user accounts using a “Pass-The-Token Attack” technique.
Yaniv Balmas, VP of Research at Salt Security, emphasizes the importance of addressing OAuth implementation issues for businesses and their customers. He hopes that Salt Labs’ research will raise awareness in the industry about potential OAuth implementation errors and how to close API-based security gaps to better protect data and use OAuth more securely.
The research also highlights specific vulnerabilities found in the social sign-in and OAuth implementations of Bukalapak, Vidio, and Grammarly.
Bukalapak, one of Indonesia’s largest eCommerce platforms with over 150 million monthly users, did not verify the access token during social logins. This oversight allowed the Salt Labs team to access a user’s credentials and fully take over their account by inserting a token from another website.
Vidio, an online video streaming platform with 100 million monthly active users, had OAuth security vulnerabilities when users logged in through Facebook. By exploiting the site’s failure to verify tokens, the Salt Labs research team could manipulate API calls and insert an access token from a different application. This manipulation would have allowed the team to impersonate users and potentially take over thousands of accounts.
Grammarly, an AI-powered writing tool with over 30 million daily users, also experienced vulnerabilities in its OAuth implementation. By understanding the API calls and the terminology used by Grammarly, the Salt Labs team was able to manipulate the API exchange and gain access to user credentials, achieving full account takeover.
It is worth noting that upon discovering these vulnerabilities, Salt Labs followed proper disclosure practices, and all the identified issues have been addressed.
The full report on this research, including the methodology and steps for mitigation, can be found on the Salt Security website.
In conclusion, the recent research conducted by Salt Labs has unveiled API security vulnerabilities in the OAuth implementations of several online companies. The flaws in the social sign-in and OAuth processes of Grammarly, Vidio, and Bukalapak could have allowed cybercriminals to gain access to user accounts and potentially lead to identity theft and financial fraud. The research highlights the importance of addressing OAuth implementation issues to safeguard user data and improve the security of these authentication protocols. By following coordinated disclosure practices, Salt Labs has successfully brought attention to these vulnerabilities, leading to their remediation.