A new report released today by application programming interface security startup Salt Security Inc. warns of significant vulnerabilities in several major online platforms’ social sign-in and Open Authentication mechanisms.

If exploited, the vulnerabilities could have led to massive data breaches, including credential leaks and full account takeovers. The findings were released by Salt Labs to emphasize the importance of stringent cybersecurity measures and ongoing diligence in the tech industry, especially given the ubiquity of OAuth implementations.

Although the vulnerability has been fixed, the report delves into previous issues with OAuth as implemented by Grammarly Inc., PT Vidio Cot Com Indonesia and PT Bukalapak.com. The security lapses involved the access token verification step, a crucial component of the OAuth procedure.

The researchers demonstrate a technique dubbed a “Pass-The-Token Attack.” The method allows the unauthorized insertion of a token from one site as a verified token on another, delivering illicit access.

On Vidio, an online streaming platform with approximately 100 million monthly users, vulnerabilities were exposed when users logged in via Facebook. Bukalapak, an Indonesian e-commerce platform, exhibited similar flaws in its token verification process.

For Grammarly, which provides grammar checking with a dose of artificial intelligence, the Salt Labs researchers were able to manipulate an API exchange with Grammarly to access user credentials.

Upon detecting these vulnerabilities, the researchers followed industry best practices in coordinated disclosure and alerted the implicated companies of the potential risks. All identified vulnerabilities have since been addressed and rectified. However, it’s argued that the discovery underscores a broader industry issue: the ongoing challenges of securing OAuth implementations.

“OAuth is one of the fastest-adopted technologies in the AppSec domain and has quickly become one of the most popular protocols for both user authorization and authentication,” explained Yaniv Balmas, vice president of research at Salt Security. “The Salt Labs research illustrates the potential impacts that OAuth implementation issues can have on a business and its customers.”

The disclosure today is not the first time Salt Labs researchers have detailed OAuth issues, having previously covered similar issues at travel booking company Booking.com B.V. and with Expo — an open-source platform for building and deploying cross-platform native applications using JavaScript and React.

“We hope this series has helped educate the broader industry on the nature of potential OAuth implementation errors and how to close these API-based security gaps to better protect data and use OAuth more securely,” Balmas added.

Image: DALL-E 3