October 25, 2023 at 09:45AM
Critical security flaws in the OAuth implementation of popular online services such as Grammarly, Vidio, and Bukalapak have been disclosed. These weaknesses could have allowed malicious actors to hijack user accounts by obtaining access tokens. The vulnerabilities have been addressed by the respective companies. OAuth, commonly used for cross-application access, can lead to identity theft, financial fraud, and access to sensitive personal information if breached. Vidio and Bukalapak had token verification issues, while Grammarly had a problem with its authentication process.
In the meeting notes, it was discussed that critical security flaws have been found in the Open Authorization (OAuth) implementation of popular online services like Grammarly, Vidio, and Bukalapak. These flaws, which were addressed by the respective companies between February and April 2023, could have potentially allowed malicious actors to gain access to user accounts by obtaining access tokens.
OAuth is commonly used as a method for cross-application access, allowing websites and applications to access information from other websites without needing passwords. However, when there are security breaches in OAuth, it can lead to identity theft, financial fraud, and unauthorized access to personal information.
The specific vulnerabilities were identified in Vidio and Bukalapak’s token verification processes. In the case of Vidio, the absence of token verification meant an attacker could use an access token generated for another App ID to take over a user’s account. Similarly, Bukalapak had a token verification issue with Facebook login, which could result in unauthorized account access.
As for Grammarly, it was discovered that the “Sign in with Facebook” option sent an HTTP POST request to authenticate users using a secret code. Although Grammarly is not susceptible to token reuse attacks like Vidio and Bukalapak, it is still vulnerable to a different type of problem. The POST request can be altered to substitute the secret code with an access token obtained from a malicious website, providing the attacker access to the user’s account and stored documents.
It is important to address these security flaws promptly to protect user data and prevent any potential security breaches.