October 24, 2023 at 08:05AM
Flaws in the OAuth standard implementation across Grammarly, Vidio, and Bukalapak may have allowed attackers to take over user accounts and engage in fraudulent activities. The Salt Labs researchers discovered API misconfigurations, which could potentially affect other compromised sites. This issue, referred to as a “Pass-The-Token” flaw, allows attackers to use a token from a third-party site to log in to other services. Fortunately, these misconfigurations have been resolved in the three mentioned services, but there may still be many other vulnerable websites. It is crucial for developers to have a solid understanding of OAuth and implement it securely to avoid such risks.
According to meeting notes, researchers from Salt Labs have discovered critical API misconfigurations in the implementation of the Open Authorization (OAuth) standard across three prominent online services: Grammarly, Vidio, and Bukalapak. These misconfigurations could have allowed attackers to take over user accounts on dozens of websites, potentially leading to credential theft, financial fraud, and cybercriminal activity.
The researchers refer to the discovered flaw as a “Pass-The-Token” flaw, where an attacker can use a token from a third-party site, owned by the attacker, to log in to another service on behalf of the user. For example, if a user logged into a site owned by the attacker, the attacker could then use the user’s token to log in to other sites, like Grammarly.
The researchers found the issues in Vidio, Bukalapak, and Grammarly between February and April. They notified the three companies, and the misconfigurations have been resolved in these services. However, they believe that thousands of other websites may be vulnerable to similar attacks, putting billions of internet users at risk.
The meeting notes emphasize the importance of secure implementation of OAuth. While OAuth itself is well-designed and has secure servers on the back end (e.g., Google and Facebook), issues can arise when developers implement the standard into their services. Without proper knowledge and awareness, attackers can exploit vulnerabilities and cause serious harm to website users.
Developers are urged to have a solid understanding of how OAuth works and common pitfalls. It is also recommended to use third-party tools that monitor for anomalies and deviations from typical behavior to identify potential attacks and protect users.
Overall, the meeting notes highlight the risks associated with OAuth misconfigurations and stress the need for diligent implementation and ongoing security measures.