Salt Security Inc recently conducted threat research and identified critical API security flaws in the OAuth implementations of several prominent online firms, including Vidio [9], Grammarly [1] [2] [3] [5] [6] [7] [8] [9], and Bukalapak [1] [2] [3] [5] [6] [7] [8] [9]. These vulnerabilities, which have since been addressed by Salt Labs, had the potential to compromise user credentials and enable complete account takeovers [2], putting billions of users at risk [1] [2] [7].
Description
The vulnerabilities were specifically discovered in the access token verification step of the social sign-in process [9], allowing cyber criminals to gain unauthorized access to user accounts [1] [4] [7] [8] [9]. This technique [4] [6] [8], known as a “Pass-The-Token Attack,” could have affected nearly a billion user accounts across the three sites. Furthermore, Salt Labs warns that thousands of other websites utilizing social sign-in mechanisms may also be susceptible to similar attacks [1] [7] [8]. It is crucial to close API-based security gaps and utilize OAuth in a more secure manner to safeguard data.
The affected platforms promptly addressed these vulnerabilities after being alerted by Salt Labs’ researchers [2]. However, this research underscores the ongoing challenges associated with securing OAuth implementations and highlights the need for organizations to implement OAuth correctly and comprehend the potential consequences of their implementation decisions. Salt Labs recommends utilizing single-sign-on solutions instead of social sign-ins and conducting code reviews to prevent vulnerabilities [5]. This research is part of Salt Labs’ OAuth hijacking series [9], with previous vulnerabilities identified in Expo and Booking.com [9].
Conclusion
The discovery of these API security flaws and subsequent remediation efforts by Salt Labs have significant implications. By addressing these vulnerabilities [2] [6], the risk of compromising user credentials and enabling account takeovers has been mitigated. However, the incident serves as a reminder of the ongoing challenges in securing OAuth implementations. Organizations must prioritize the proper implementation of OAuth and fully understand the potential impact of their decisions. Moving forward, it is crucial to continue improving API-based security measures to protect user data effectively.
References
[1] https://finance.yahoo.com/news/salt-security-discovers-flaws-social-120000005.html
[2] https://www.infosecurity-magazine.com/news/api-security-flaw-grammarly-vidio/
[3] https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-takeover-millions
[4] https://betanews.com/2023/10/24/flaw-in-social-login-could-expose-billions-to-account-takeover/
[5] https://www.scmagazine.com/news/flaws-in-oauths-social-sign-in-could-have-put-billions-of-users-at-risk
[6] https://siliconangle.com/2023/10/24/potential-oauth-lapses-led-significant-data-breaches-warns-salt-labs/
[7] https://www.prnewswire.com/news-releases/salt-security-discovers-flaws-in-social-login-mechanism-impacting-1000s-of-websites-and-exposing-billions-of-users-to-account-takeover-301965311.html
[8] https://www.digitalpulsehq.com/salt-security-discovers-flaws-in-social-login-mechanism-impacting-thousands-of-websites/24/10/2023/
[9] https://www.hackread.com/social-login-websites-flaws-risked-user-accounts/
