According to researchers at Salt Security, the OAuth social network’s single sign-on has an implementation weakness that hackers can exploit to gain unauthorized access.
See also: Live Webinar | Generative AI: myths, realities and practical use cases
OAuth is the login protocol that allows consumers to use their Facebook or Google credentials (or other third-party credentials) to access internet sites instead of creating a new compromised login. Its security is based on an essential implementation mechanism: it is the website, not Facebook or Google, that verifies that the user deserves to have access to the service.
Salt Security, in a blog post published Tuesday, says it has detected a handful of sites, adding the AI-based writing app Grammarly, skipping the validation step, allowing researchers to recycle credentials to access the account.
“These 3 sites are enough for us to prove our point, and we have made the decision not to pursue further targets, however, we know that thousands of other internet sites will be vulnerable to the attack we detail in this article, putting billions more internet users at risk, in danger every day,” the company wrote. Earlier this year, the company disclosed flaws in the framework of the Expo, which is used across many online facilities to implement OAuth (see: OAuth Failure Exposes Social Media Logins to Account Takeover).
Social login assumes that a user has accounts spread across Internet sites. Instead of creating a login ID for each website, the concept is for users to turn to a third party to provide them with credentials, which are passed down as a token. Users use social login for internet sites, the internet sites themselves check if the token is valid. According to the OAuth standard, they must do this by calling an API that confirms (or denies) that the token ID correlates with the correct type. website.
The attack may not work as long as each and every online page that accepts social login makes sure to validate the token’s identification, wrote Aviad Carmel, a researcher at Salt.
Carmel says there are three sites that didn’t: Indonesian video streaming service Vidio, Bukalapak, a leading Indonesian e-commerce platform, and Grammarly.
This allowed Carmel to use a token generated for the malicious site YourTimePlanner. com and use it to log into Vido. Vidio told Salt Security that “the vulnerability primarily affected the implementation of Facebook OAuth” and that it was only active “for a certain amount of time. “due to a migration from one Facebook OAuth app to another. “Bukalapak told Salt that he has consistently factored in and enabled one-time passwords for logins.
Grammarly’s login procedure required an extra step to be hacked, Carmel explains, because instead of settling for a token, it asks for a code that is then replaced by a token. Carmel said it could force Grammarly to settle for tokens early on through a slight replacement in coding the OAuth-derived reaction to Grammarly. The write-assisted salesperson told Salt that he had patched the vulnerability.
Read more »
Log in now
Complete your profile and stay informed
Contact Support
Log in now
Log in now
Our website uses cookies. Cookies allow us to provide the most productive experience imaginable and help us understand how visitors use our online site. By browsing govinfosecurity. com, you agree to our use of cookies.