A new report released today by application programming interface security startup Salt Security Inc. warns of significant vulnerabilities in several major online platforms’ social sign-in and Open Authentication mechanisms.
If exploited, the vulnerabilities could have led to massive data breaches, including credential leaks and full account takeovers. The findings were released by Salt Labs to emphasize the importance of stringent cybersecurity measures and ongoing diligence in the tech industry, especially given the ubiquity of OAuth implementations.
Although the vulnerability has been fixed, the report delves into previous issues with OAuth as implemented by Grammarly Inc., PT Vidio Cot Com Indonesia and PT Bukalapak.com. The security lapses involved the access token verification step, a crucial component of the OAuth procedure.
The researchers demonstrate a technique dubbed a “Pass-The-Token Attack.” The method allows the unauthorized insertion of a token from one site as a verified token on another, delivering illicit access.
On Vidio, an online streaming platform with approximately 100 million monthly users, vulnerabilities were exposed when users logged in via Facebook. Bukalapak, an Indonesian e-commerce platform, exhibited similar flaws in its token verification process.
For Grammarly, which provides grammar checking with a dose of artificial intelligence, the Salt Labs researchers were able to manipulate an API exchange with Grammarly to access user credentials.
Upon detecting these vulnerabilities, the researchers followed industry best practices in coordinated disclosure and alerted the implicated companies of the potential risks. All identified vulnerabilities have since been addressed and rectified. However, it’s argued that the discovery underscores a broader industry issue: the ongoing challenges of securing OAuth implementations.
“OAuth is one of the fastest-adopted technologies in the AppSec domain and has quickly become one of the most popular protocols for both user authorization and authentication,” explained Yaniv Balmas, vice president of research at Salt Security. “The Salt Labs research illustrates the potential impacts that OAuth implementation issues can have on a business and its customers.”
“We hope this series has helped educate the broader industry on the nature of potential OAuth implementation errors and how to close these API-based security gaps to better protect data and use OAuth more securely,” Balmas added.
Image: DALL-E 3
Your vote of support is important to us and it helps us keep the content FREE.
One-click below supports our mission to provide free, deep and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.