In today’s digital age, the convenience of social login mechanisms has revolutionized the way we access websites and apps. It’s as simple as clicking a button to log in with your Facebook or Google account, eliminating the need to remember multiple passwords. However, a recent report by API security company Salt Security has uncovered a critical vulnerability in these social login systems, leaving thousands of websites and a billion users at risk of account takeovers.


The Vulnerability Uncovered

Salt Security’s latest research has pinpointed vulnerabilities in the access token verification step of the social sign-in process, particularly within the OAuth implementation on various websites. OAuth is like a digital key that allows websites and apps to access certain information from other services without requiring a password.

It’s a favourite among both users and websites, as it simplifies user identity verification by tapping into their social media accounts like Google or Facebook.

However, the catch here is that websites must properly verify the provided token to approve access, a step that many platforms fail to execute effectively.

Consequently, Salt Labs researchers were able to exploit this loophole and insert a token from one site as a verified token to gain access to user accounts. This technique is commonly known as a “Pass-The-Token Attack.”

The implications are staggering; these vulnerabilities could have compromised nearly a billion user accounts across various websites. Attackers could potentially access user accounts on a wide range of platforms, including banking, payment, and other sensitive data.

They could also perform actions on behalf of the user, leading to identity theft and financial fraud.


Real-World Examples

To highlight the gravity of the situation, the report provided examples of vulnerable platforms that have since addressed these issues:

  1. Vidio: Vidio, an online video streaming platform with 100 million monthly active users, offers a wide array of content. Researchers found OAuth security vulnerabilities when logging in through Facebook. Because failed to verify the token, an attacker could manipulate API calls to insert an access token generated for a different application, potentially leading to massive account takeovers.
  2. Bukalapak: Bukalapak, one of Indonesia’s largest e-commerce platforms with over 150 million monthly users, also neglected to verify access tokens when users registered using social logins. This oversight allowed the Salt Labs team to access user credentials and take over user accounts.
  3. Grammarly: The popular AI-powered writing tool, used by over 30 million people daily, was not immune to this vulnerability. Researchers were able to manipulate the API exchange to insert code used for verifying users on a different site, ultimately obtaining the credentials and taking over user accounts.


The Wider Implications

OAuth is one of the fastest-adopted technologies in the field of application security, becoming one of the most popular protocols for user authorization and authentication. Yaniv Balmas, VP of Research at Salt Security, highlights the potential impacts that OAuth implementation issues can have on businesses and their customers.

While several companies have taken steps to remediate this vulnerability trend after coordinated disclosure, countless other websites still use similar sign-in mechanisms, leaving billions of individuals worldwide at risk. It’s crucial for businesses to ensure the security of their social login systems and for users to remain vigilant about the platforms they trust with their personal information.

Salt Security’s State of API Security Report for Q1 2023 underscores the pressing need for action in this realm. It revealed a 400% increase in unique attackers over the last six months, with 43% of respondents expressing high concern about account takeovers.

Protecting your online identity has never been more critical. Be aware of the risks, choose your login methods wisely, and remain vigilant in the ever-evolving landscape of online security.

We hope you’ve enjoyed this blog. Be sure to watch out for our future weekly blog releases and thanks for reading!