Salt Labs on Tuesday uncovered API security vulnerabilities in the social sign-in and Open Authentication (OAuth) implementations of multiple online companies, including Grammarly, Vidio and Bukalapak.
Click for more special coverage
In an Oct. 24 blog post, Salt Labs said the flaws — which have since been remediated — could have allowed for credential leakage and full account takeover. Salt researchers also reported that thousands of other websites using social sign-in mechanisms are likely vulnerable to the same type of attack, putting billions of individuals around the globe at risk.
Favored across many websites and web services, OAuth allows for a "one-click" social sign-in that lets users tap their social media accounts, such as Google or Facebook, to verify their identity and register on a site rather than set up a unique username-password combination for access.
For this type of login, the Salt Labs researchers said OAuth needs a verified token to approve access, and all three sites failed to verify the token. As a result, the researchers were able to insert a token from another site as a verified token and gain access to user accounts — using a technique called "Pass-The-Token Attack."
“The most significant issue we identified is that while OAuth is well-designed, and while the major OAuth providers, such as Google, Facebook and others, have very secured servers, issues are often found at the side of the service implanting OAuth,” said Yaniv Balmas, vice president of research at Salt Labs. “It’s quite easy for anyone to add social-login functionality to a website, whether by implementing it themselves, or using third-party solutions. However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, said the research from Salt Labs illustrates the need for organizations to ensure proper implementation of OAuth. Tiquet said while the underlying cryptography offers strong security, there are inconspicuous implementation decisions that can lead to vulnerabilities.
“For correct implementation, engineers should question what the different options do, choose the more secure option at every opportunity and validate the potential impact when choosing options outside of defaults,” said Tiquet. “Most OAuth vulnerabilities are because of improper implementation, and that’s why this type of project requires experienced engineers and extra time for code reviews.”
Aubrey Perin, lead threat intelligence analyst at Qualys, added that companies should avoid and discourage social sign-ins.
“Instead, organizations should leverage single-sign-on solutions that they can control and audit as part of their comprehensive identity access management policies and programs,” said Perin.