Salt Security Discovers Flaws in Social Login Mechanism Impacting 1000s of Websites and Exposing Billions of Users to Account Takeover
PALO ALTO, Calif., Oct. 24, 2023 /PRNewswire/ -- Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting API security vulnerabilities uncovered in the social sign-in and Open Authentication (OAuth) implementations of multiple online companies, including Grammarly, Vidio, and Bukalapak. The flaws, which have since been remediated, could have allowed for credential leakage and enabled full account takeover (ATO). Salt Labs also reported that 1000s of other websites using social sign-in mechanisms are likely vulnerable to the same type of attack, putting billions of individuals around the globe at risk.
- The flaws, which have since been remediated, could have allowed for credential leakage and enabled full account takeover (ATO).
- Salt Labs also reported that 1000s of other websites using social sign-in mechanisms are likely vulnerable to the same type of attack, putting billions of individuals around the globe at risk.
- This latest research identified flaws in the access token verification step of the social sign-in process, part of the OAuth implementation on these websites.
- Therefore, by inserting a token from another website, the Salt Labs team could access a user's credentials in bukalapak.com and completely take over that user's account.