Salt Security: Thousands of Websites, Billions of Users Vulnerable to Account Takeover

It's easy to leave cracks when adding social-login functionality.

Edward Gately, Senior News Editor

October 24, 2023

3 Min Read
salt security
Sergey Nivens/Shutterstock

Thousands of websites using social sign-in mechanisms are vulnerable to cyberattacks, putting billions of individuals around the globe at risk.

That's according to Salt Security's new threat research. Salt Labs uncovered API security vulnerabilities in the social sign-in and Open Authentication (OAuth) implementations of multiple online companies, including Grammarly, Vidio and Bukalapak. The vulnerabilities could have impacted nearly 1 billion user accounts across these three sites. The flaws also could have allowed for credential leakage and enabled full account takeover (ATO).

While those flaws have been remediated, thousands of other websites remain vulnerable to the same type of attack.

The vulnerabilities identified could allow cybercriminals to:

  • Gain complete access to a user's accounts on dozens of websites, potentially allowing access to bank accounts, credit card details and other sensitive data.

  • Perform any action on behalf of that user, which may lead to identity theft and financial fraud.

Grammarly is an artificial intelligence (AI)-powered writing tool that helps users improve their writing by offering grammar, punctuation, spelling checks and other writing tips to more than 30 million daily users.

Vidio is an online video streaming platform with 100 million monthly active users. And Bukalapak is one of Indonesia's largest and most prominent eCommerce platforms, with more than 150 million monthly users.

Salt Security Suspects More Danger Lurks

Yaniv Balmas, Salt Security's vice president of research, said "we expect that thousands of other websites are vulnerable to the attack we detail in our latest research, putting billions of additional internet users at risk."

Salt Security's Yaniv Balmas

"While OAuth is well-designed, and while the major OAuth providers, such as Google, Facebook and others have very secured servers, issues are often found at the side of the service implanting OAuth," he said. "It is very easy for anyone to add social-login functionality to their website, whether by implementing it themselves, or using third-party solutions. However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

Web services who wish to implement social-login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused, Balmas said.

"They can also use third-party tools that monitor for anomalies and deviations from normal, which may identify yet unknown attacks and provide a safety net ensuring the safety of their users," he said.

Salt Security's findings should be "very interesting" to anyone, even if they know little about OAuth, APIs or how social logins work, Balmas said.

"Each one of us logs in to dozens of web services on a daily basis," he said. "The issues we found affect more than 1 billion users who might have found their accounts breached had this issue been found by other, less friendly parties."

Read more about:

VARs/SIs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like