Highlights:
- Salt Labs released findings to stress the need for robust cybersecurity measures and continuous vigilance in the tech industry, especially with the widespread use of OAuth.
- Salt Labs researchers manipulated an API exchange with Grammarly, a grammar-checking platform with AI, to access user credentials.
Recent research from application programming interface security startup, Salt Security Inc., warns of serious flaws in the social sign-in and Open Authentication systems used by a number of major online platforms.
The vulnerabilities could have resulted in significant data breaches, including credential leaks and complete account takeovers, if they were exploited. Salt Labs published the findings to highlight the significance of rigorous cybersecurity measures and ongoing diligence in the tech industry, particularly given the prevalence of OAuth implementations.
The report explores earlier problems with OAuth as used by Grammarly Inc., PT Vidio Cot Com Indonesia, and PT Bukalapak.com despite the fixed vulnerability. The security flaws affected the access token verification step, a crucial part of the OAuth process.
The scientists present a method known as a “Pass-The-Token Attack.” The process enables the fraudulent use of a token from one site as a verified token on another, granting unauthorized access.
Vidio, an online streaming service with about 100 million monthly users, had security flaws when users signed in using Facebook. An Indonesian e-commerce platform, Bukalapak, showed similar issues with its token verification procedure.
The Salt Labs researchers successfully controlled an API exchange with Grammarly, which offers grammar checking with a dash of artificial intelligence, to gain access to user credentials.
After identifying these vulnerabilities, the researchers adhered to established industry standards for coordinated disclosure and promptly informed the affected companies about the potential risks. Subsequently, all identified vulnerabilities were addressed and resolved. Nevertheless, this discovery highlights a broader issue within the industry – the persistent challenges associated with securing OAuth implementations.
Vice President of Research at Salt Security, Yaniv Balmas, explained, “OAuth is one of the fastest-adopted technologies in the AppSec domain and has quickly become one of the most popular protocols for both user authorization and authentication. The Salt Labs research illustrates the potential impacts that OAuth implementation issues can have on a business and its customers.”
Researchers from Salt Labs have previously discussed OAuth problems at travel agency Booking.com B.V. and with Expo, an open-source platform for creating and deploying cross-platform native applications using JavaScript and React. The recent disclosure is not the first time Salt Labs researchers have discussed OAuth problems in detail.
Balmas added, “We hope this series has helped educate the broader industry on the nature of potential OAuth implementation errors and how to close these API-based security gaps to better protect data and use OAuth more securely.”