Flaw in social login could expose billions to account takeover
New research from Salt Labs highlights API security vulnerabilities uncovered in the social sign-in and Open Authentication (OAuth) implementations of multiple online companies.
Sites affected include Grammarly, Vidio, and Bukalapak. The flaw has now been fixed but could have allowed for credential leakage and enabled full account takeover. Salt Labs also reports that 1,000s of other websites using social sign-in mechanisms are likely to be vulnerable to the same type of attack, putting billions of individuals around the globe at risk.
The vulnerabilities identified could allow cyber criminals to gain complete access to a user's accounts on dozens of websites, potentially allowing access to bank accounts, credit card details, and other sensitive data. They would also be able to perform any action on behalf of that user which may lead to identity theft and financial fraud.
OAuth enables a 'one-click' login that lets users tap their social media accounts, such as Google or Facebook, to verify their identity and register on a site rather than set up a unique username/password combination for access. For this type of login, OAuth needs a verified token to approve access, and all three sites failed to verify the token. As a result, the Salt Labs researchers were able to insert a token from another site as a verified token and gain access to user accounts - using a technique called 'Pass-The-Token Attack.'
Yaniv Balmas, VP of research at Salt Security, says:
The thing that stood out most in our research is the fact that OAuth, which is the main technology behind social-login, is actually well designed, and contains no obvious fail-points, however most of the issues we found were related to the way OAuth is implemented by the various parties using it. Social-Login is super-useful and as a web service, it easy very easy to implement at the basic level, however without the proper knowledge and awareness this also quite often leaves the door wide open for risking the entire user base.
As part of our mission at Salt-Labs we constantly look for API related issues at major web services, that could have a big impact on millions of users. OAuth and Social-Login in this case were a perfect target due to their huge popularity on one hand and the fact that any flaw in the login process almost always leads to full account takeovers.
These findings should be very interesting to anyone basically, whether or not they know what is OAuth, APIs or how social login works. Each one of us logs in to dozens of web services on a daily basis. The issues we found affect more than a Billion users who might have found their accounts breached had this issue been found by other, 'less friendly' parties.
You can see the full report describing how the attack works on the Salt site.
Image credit: videoflow/depositphotos.com