UPDATED 08:00 EDT / OCTOBER 24 2023

SECURITY

Potential OAuth lapses could have led to significant data breaches, warns Salt Labs

A new report released today by application programming interface security startup Salt Security Inc. warns of significant vulnerabilities in several major online platforms’ social sign-in and Open Authentication mechanisms.

If exploited, the vulnerabilities could have led to massive data breaches, including credential leaks and full account takeovers. The findings were released by Salt Labs to emphasize the importance of stringent cybersecurity measures and ongoing diligence in the tech industry, especially given the ubiquity of OAuth implementations.

Although the vulnerability has been fixed, the report delves into previous issues with OAuth as implemented by Grammarly Inc., PT Vidio Cot Com Indonesia and PT Bukalapak.com. The security lapses involved the access token verification step, a crucial component of the OAuth procedure.

The researchers demonstrate a technique dubbed a “Pass-The-Token Attack.” The method allows the unauthorized insertion of a token from one site as a verified token on another, delivering illicit access.

On Vidio, an online streaming platform with approximately 100 million monthly users, vulnerabilities were exposed when users logged in via Facebook. Bukalapak, an Indonesian e-commerce platform, exhibited similar flaws in its token verification process.

For Grammarly, which provides grammar checking with a dose of artificial intelligence, the Salt Labs researchers were able to manipulate an API exchange with Grammarly to access user credentials.

Upon detecting these vulnerabilities, the researchers followed industry best practices in coordinated disclosure and alerted the implicated companies of the potential risks. All identified vulnerabilities have since been addressed and rectified. However, it’s argued that the discovery underscores a broader industry issue: the ongoing challenges of securing OAuth implementations.

“OAuth is one of the fastest-adopted technologies in the AppSec domain and has quickly become one of the most popular protocols for both user authorization and authentication,” explained Yaniv Balmas, vice president of research at Salt Security. “The Salt Labs research illustrates the potential impacts that OAuth implementation issues can have on a business and its customers.”

The disclosure today is not the first time Salt Labs researchers have detailed OAuth issues, having previously covered similar issues at travel booking company Booking.com B.V. and with Expo — an open-source platform for building and deploying cross-platform native applications using JavaScript and React.

“We hope this series has helped educate the broader industry on the nature of potential OAuth implementation errors and how to close these API-based security gaps to better protect data and use OAuth more securely,” Balmas added.

Image: DALL-E 3

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.