Careless OAuth Implementation Puts Billions at Risk

Social media single sign-on standard OAuth has an implementation weakness that hackers could exploit to obtain unauthorized access, say researchers from Salt Security.

See Also: Navigating SEC Compliance: A Comprehensive Approach to Cybersecurity Resilience

OAuth is the protocol behind logon prompts allowing customers to use their Facebook or Google credentials – or other third party credential – to access websites rather than creating a new, dedicated credential. Its security hinges on one critical implementation mechanism: it’s up the website, not Facebook or Google, to verify that the user should have access to the service.

Salt Security in a Tuesday blog post says it spotted a handful of sites, including the AI-powered Grammarly writing app, skipping the validation step – allowing researchers to recycle credentials to gain account access.

“Just these three sites are enough for us to prove our point, and we decided to not look for additional targets, but we expect that 1,000s of other websites are vulnerable to the attack we detail in this post, putting billions of additional internet users at risk every day,” the firm wrote. The company earlier this year disclosed flaws in the Expo framework, used by many online services to implement OAuth (see: OAuth Flaw Exposed Social Media Logins to Account Takeover).

Social logon presumes that one user will have many accounts, spread across many websites. Rather than create a logon credential for each website, the idea is that users turn to a third party to supply the credential, transmitted as a token. Because users use social logon on for multiple websites, websites much validate for themselves whether the token is valid. Under the OAuth standard, they’re supposed to do so by calling an API that confirms – or denies – that the token ID correlates to the correct website.

That leaves an opening to bad actors who can create an online service offering social logon. That way, they can harvest valid tokens generated for their online service and use them to logon onto another site as the victim.

The attack won’t work so long as every website that accepts social logon makes sure to validate the token ID, wrote Salt researcher Aviad Carmel.

Carmel says he spotted three sites that didn’t: Indonesian video streaming service Vidio, Bukalapak, a large Indonesian e-commerce platform and Grammarly.

That let Carmel use a token generated for the malicious site YourTimePlanner.com and use it to log on to Vido. Vidio told Salt Security that “the vulnerability pertained mainly to the Facebook OAuth implementation” and that it was active “only during a certain period because of a migration from one Facebook OAuth App to another.” Bukalapak told Salt that it fixed the problem and also enabled one-time passwords for logons.

Grammarly’s logon process required an additional step to hack, Carmel says, since rather than accepting a token, it asks for code that is later swapped for a token. Carmel said he could force Grammarly into accepting tokens upfront through a slight tweak in the coding of OAuth-derived response to Grammarly. The assisted writing provider told Salt it fixed the vulnerability.