Cybersecurity experts have discovered a possible way for hackers to take over user accounts on popular websites that serve hundreds of millions of users. Using the stolen accounts, the hackers were able to carry out all kinds of cyber attacks, from social engineering to wire fraud, to phishing and more.
This is what cybersecurity researchers at Salt Security say, who discovered an API security vulnerability in the implementation of social login and Open Authentication (OAuth).
Social login allows users to create and log into accounts on different platforms, using their social media accounts they are already logged into. Users can choose to log in with their Google account, Facebook account, Twitter, Apple and more – all with a single click.
Pass the token
The error itself was found in the access token verification step. When logging in, OAuth requires such a token, and if the site does not verify it, hackers can insert another token and gain access to the account. The researchers call this technique ‘Pass-The-Token-Attack’.
According to the report, three major websites were found vulnerable to the attack: Grammarly, Vidio and Bukalapak.
The latter is an Indonesian e-commerce platform with more than 150 million active monthly users. Vidio is an online video streaming platform with 100 million monthly active users and offers a wide range of content such as movies, TV shows, live sports and original productions. Grammarly is a grammar and spelling checker with over 30 million active daily users. While these numbers may sound extremely large, the researchers warn that it is likely that thousands of other websites use the same social login mechanisms and as such are similarly vulnerable. The conclusion is that hundreds of millions, if not billions, of user accounts are at risk.
After finding the flaw, Salt contacted these three websites, all of which had fixed the vulnerability before the announcement was published.