Salt Security’s Salt Labs research team, a prominent API security firm, has uncovered critical API security vulnerabilities affecting the social sign-in and OAuth (Open Authentication) implementations of several renowned online companies, among them Vidio, Grammarly, and Bukalapak.
A meticulous investigation conducted by Salt Labs researchers unveiled the potential for malicious actors to exploit these vulnerabilities through a Pass-The-Token Attack, thereby gaining unauthorized access to users’ accounts on numerous websites. This unauthorized access could extend to sensitive data such as credit card information, bank accounts, and other personal details.
This latest research release signifies the conclusion of Salt Labs’ third installment in their series on OAuth hijacking. Before this discovery, the research team had previously identified vulnerabilities in Expo and Booking.com.
It is worth noting that OAuth is a widely adopted authentication method that plays a pivotal role in simplifying the user login experience on many websites and web services. Through OAuth implementation, users have the convenience of logging in via their social media accounts, such as Facebook or Google, rather than creating a new set of login credentials.
The vulnerabilities pinpointed in this research were found to be linked to the access token verification step within the social sign-in process. This step is an integral component of OAuth implementation on websites. The vulnerabilities arose due to improper token verification, creating an opening for adversaries to gain unauthorized access.
In a detailed blog post, Salt Labs Security Researcher Aviad Carmel elaborated on how their research team exploited this flaw through a Pass-The-Token Attack, a method that involves inserting a token from one website to gain unauthorized access to user accounts.
The Impact on Vidio.com
Researchers uncovered these vulnerabilities on the Vidio website while attempting to log in using Facebook credentials. Notably, Vidio.com failed to execute proper token verification or OAuth validation, revealing a significant security flaw. This loophole enabled the manipulation of API calls, permitting the insertion of an access token originally generated for a different application.
This alternative token-AppID pairing, as exploited by the researchers, facilitated the impersonation of a user on the website, consequently granting them the ability to potentially seize control of many accounts.
Impact on Bukalapak.com
Bukalapak, a prominent eCommerce platform in Indonesia, faced a similar security lapse on its website. When users opted for social login during the registration process, the platform failed to adequately verify the access token. This oversight provided an opening for the Salt Labs team to insert a token originating from a different website, resulting in unauthorized access to a user’s credentials on the Bukalapak site. Such an intrusion granted the intruders full control over the compromised account.
Impact on Grammarly
The investigative team meticulously examined Grammarly.com, an AI-powered writing tool, to dissect the website’s code transmission protocols. This process empowered them to manipulate the API exchange, introducing code designed to authenticate users on an entirely separate website. This calculated maneuver yielded the successful acquisition of user account credentials, facilitating an account takeover.
In adherence to established coordinated disclosure procedures, Salt Labs researchers promptly alerted all three websites involved, ultimately resulting in the resolution of the identified issues. It is the belief of the research team that these vulnerabilities had the potential to impact an estimated one billion accounts affiliated with the trio of affected websites.
While these vulnerabilities have since been rectified, they had the potential to expose critical login information and provide adversaries with the means to launch a broad spectrum of attacks. This revelation is of significant concern, considering the widespread adoption of social sign-in functionality across thousands of websites. This widespread usage places billions of users worldwide at risk of various threats, including identity theft and financial fraud.
Social Login is a very common feature that is implemented on almost every major (and non-major) web service. Around 80% of our targets included some kind of security issue related to social login functionality. The impact is that we were successfully able to take over more than 1 billion accounts across all the targets, which includes the ones identified in this research plus many others.
Yaniv Balmas – VP of Research at Salt Security