Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,586
- Points
- 113
Thousands of platforms are putting their users at risk by incorrectly verifying tokens.
Salt Security researchers have identified vulnerabilities in the OAuth algorithm that allows websites and applications to access information from another service in just one click, without the need to enter a password. The most popular application of this standard is authorization on third-party platforms via social networks.
We've all seen these options on different websites. For example, "Log in via VKontakte".
For authorization through social networks, a special "token" is used, which confirms our identity. However, as Salt Labs found out, not all sites check it correctly. During the study, experts managed to "replace" the token and gain access to other people's accounts on several platforms. This method of hacking was called a "Pass-The-Token Attack" or "token transfer attack".
"The vulnerability could affect almost a billion accounts on different sites," the researchers warn.
The bug potentially allows attackers to gain access to the accounts of dozens of services, including banking and payment systems. Examples include Grammarly, Vidio, and Bukalapak.
Vidio, a video streaming platform with more than 100 million active users, offers a wide range of content. An OAuth bug was detected here when logging in via Facebook.
"Since the site Vidio.com I didn't check the tokens (the developers should have taken care of this, not OAuth itself). Attackers could interact with the API by substituting a key created for another service. A spoof token combined with an app ID allowed the Salt Labs research team to impersonate one of the real Vidio users. This could lead to a massive seizure of control over thousands of accounts," the report says.
In Bukalapak, one of the largest online shopping platforms in Indonesia with an audience of more than 150 million people, a problem occurred when registering via social networks. The site analyzed tokens incorrectly, so the specialists also easily inserted code from another site and got access to the credentials of one of the buyers.
Grammarly, an AI-powered text verification and correction tool used by more than 30 million people every day, has faced an identical problem.
"OAuth has already become one of the leaders in application security and continues to gain popularity as the main protocol for authorization and authentication," said Yaniv Balmas, vice president of Research at Salt Security. "The work of Salt Labs clearly shows the risks associated with incorrect implementation of OAuth for companies and their customers."
The Salt Security report on Web service API security revealed an alarming increase in the number of cyber attacks in the first quarter of 2023. Over the past six months, the number of incidents has increased by 400%. 43% of users surveyed expressed deep concern about the security of their accounts and the risk of unauthorized hijacking.
Salt Security researchers have identified vulnerabilities in the OAuth algorithm that allows websites and applications to access information from another service in just one click, without the need to enter a password. The most popular application of this standard is authorization on third-party platforms via social networks.
We've all seen these options on different websites. For example, "Log in via VKontakte".
For authorization through social networks, a special "token" is used, which confirms our identity. However, as Salt Labs found out, not all sites check it correctly. During the study, experts managed to "replace" the token and gain access to other people's accounts on several platforms. This method of hacking was called a "Pass-The-Token Attack" or "token transfer attack".
"The vulnerability could affect almost a billion accounts on different sites," the researchers warn.
The bug potentially allows attackers to gain access to the accounts of dozens of services, including banking and payment systems. Examples include Grammarly, Vidio, and Bukalapak.
Vidio, a video streaming platform with more than 100 million active users, offers a wide range of content. An OAuth bug was detected here when logging in via Facebook.
"Since the site Vidio.com I didn't check the tokens (the developers should have taken care of this, not OAuth itself). Attackers could interact with the API by substituting a key created for another service. A spoof token combined with an app ID allowed the Salt Labs research team to impersonate one of the real Vidio users. This could lead to a massive seizure of control over thousands of accounts," the report says.
In Bukalapak, one of the largest online shopping platforms in Indonesia with an audience of more than 150 million people, a problem occurred when registering via social networks. The site analyzed tokens incorrectly, so the specialists also easily inserted code from another site and got access to the credentials of one of the buyers.
Grammarly, an AI-powered text verification and correction tool used by more than 30 million people every day, has faced an identical problem.
"OAuth has already become one of the leaders in application security and continues to gain popularity as the main protocol for authorization and authentication," said Yaniv Balmas, vice president of Research at Salt Security. "The work of Salt Labs clearly shows the risks associated with incorrect implementation of OAuth for companies and their customers."
The Salt Security report on Web service API security revealed an alarming increase in the number of cyber attacks in the first quarter of 2023. Over the past six months, the number of incidents has increased by 400%. 43% of users surveyed expressed deep concern about the security of their accounts and the risk of unauthorized hijacking.
