'Log in with...' Feature Allows Full Online Account Takeover for Millions

Cyber Security Threat Summary:
Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.

Salt lab researchers have labeled the recent issue identified in Vidio, Grammarly, and Bukalapak as a "Pass-The-Token" flaw. In this type of vulnerability, an attacker can exploit a token (a unique, secret identifier used for authentication) from a third-party site, typically owned by the attacker, to gain access to another service. For instance, if a user logged into a site owned by the attacker, such as mytimeplanner[.]com, the attacker could use the user's token to access other services like Grammarly. Yaniv Balmas, VP of Research at Salt, provided this explanation. These issues were discovered in Vidio, Bukalapak, and Grammarly between February and April. They promptly alerted these companies, and the misconfigurations were fixed in these services. However, this problem extends beyond these cases. The researchers emphasize that these three instances are sufficient to illustrate the issue and that they did not seek out additional targets. They believe that thousands of other websites may be vulnerable to the same attack, potentially jeopardizing billions of internet users daily.

The issue presents uniquely on each of the three websites. On Vidio, a platform with 100 million monthly users, the problem was that the site failed to verify tokens during Facebook logins. This allowed attackers to insert access tokens from different applications, potentially leading to account takeovers. Similarly, Bukalapak, with over 150 million monthly users, also lacked token verification during social logins, enabling attackers to access user credentials and take over accounts. Grammarly, used by over 30 million daily users for writing improvement, had a different manifestation. Researchers manipulated API calls and terminology to insert code from another site, compromising user credentials and achieving full account takeover.

Security Officer Comments:
OAuth is a commonly used standard for cross-platform authentication, often seen as the "Log in with Facebook" or "Log in with Google" option on websites. Recently, researchers have identified implementation problems in OAuth, adding to a series of issues found in the past few months across major online platforms, posing risks to users. Previously, they had found similar OAuth issues in Booking[.]com and Expo, which could have led to account takeovers and access to personal or payment card information. Additionally, the Booking[.]com flaw could have allowed access to its sister platform, Kayak[.]com

Suggested Correction(s):
All three targets, Vidio, Bukalapak and Grammarly, have successfully fixed the issue, and it is no longer a concern. To prevent this vulnerability, it is essential to follow the guidance provided by platforms and other sites that support social logins. The key is to thoroughly verify tokens during the authentication process. To enhance the security of websites and services utilizing OAuth, it’s crucial to have a secure implementation. This might necessitate developers doing thorough research before integrating OAuth into their sites.

Link(s):
https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-takeover-millions
https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts?