Disclosures:
Professional Reviews

The reviews found on GuideHaven consist of evaluations conducted by community reviewers. These assessments take into account the reviewers’ unbiased and knowledgeable analysis of the products and services being reviewed.

Ownership

GuideHaven is a leading cybersecurity review website with a team of experts experienced in testing and evaluating VPNs, antiviruses, password managers, parental controls, and software tools. Our reviews are available in 29 languages, making them accessible to a broad audience since 2018. To further support our readers in their pursuit of online security, we’ve partnered with Kape Technologies PLC, which owns popular products like ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, all of which may be reviewed on our website.

Affiliate Commissions

GuideHaven contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest, and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Review Guidelines

The reviews published on GuideHaven are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional, and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

News Heading

OAuth Vulnerabilities in Popular Online Services Allowed Account Takeovers

Shipra Sanganeria
Published by Shipra Sanganeria on October 26, 2024

Salt Security in its third and final segment of identifying issues in the implementation of OAuth framework, revealed flaws in social login mechanisms of popular services like Grammarly, Vidio, and Bukalapak.

The research identified weaknesses in the access token verification process of the social sign-in option part of OAuth protocol. If exploited, these vulnerabilities allow a hacker to not only steal user credentials but also take full control of the victim’s account. Thus, enabling an attacker to hijack sessions and commit identity thefts or financial frauds.

OAuth is a popular user authorization and authentication protocol that allows websites and web service companies to implement a simple one-click sign-in process. Users can sign into websites through their social media accounts (Google and Facebook).

However, for a secure implementation process, it is essential that websites verify the provided access token, something that many online service providers failed to do. Salt Security demonstrated this vulnerability via an experiment, wherein they inserted a token from another site as a verified token. This technique known as ‘’Pass-The-Token Attack’’ allowed its researchers to gain complete control over a user’s account.

Although, this experiment identified the vulnerabilities found in social login-in process of Grammarly, Vidio, and Bukalapak, the company stated ‘’[..] we expect that 1000s of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day.”

The researchers went on to say that the OAuth framework is well-designed and secure. The problem lies in its implementation. “We hope this series has helped educate the broader industry on the nature of potential OAuth implementation errors and how to close these API-based security gaps to better protect data and use OAuth more securely.”

Post discovery, the above-mentioned platforms were notified of these vulnerabilities. Since then, each one of them have taken steps to mitigate these security gaps.

Salt Security’s current disclosure comes just months after the company revealed flaws in the implementation of OAuth protocol by popular online services like Booking.com and Expo.

Did you like this article? Rate it!
 
 
 
 
 
I hated it I don’t really like it It was ok Pretty good! Loved it!
0 Voted by 0 users
Title
Comment
Thanks for your feedback