Salt Security: Thousands of Websites, Billions of Users Vulnerable to Account Takeover

Thousands of websites using social sign-in mechanisms are vulnerable to cyberattacks, putting billions of individuals around the globe at risk.

That's according to Salt Security's new threat research. Salt Labs uncovered API security vulnerabilities in the social sign-in and Open Authentication (OAuth) implementations of multiple online companies, including Grammarly, Vidio and Bukalapak. The vulnerabilities could have impacted nearly 1 billion user accounts across these three sites. The flaws also could have allowed for credential leakage and enabled full account takeover (ATO).

While those flaws have been remediated, thousands of other websites remain vulnerable to the same type of attack.

The vulnerabilities identified could allow cybercriminals to:

Grammarly is an artificial intelligence (AI)-powered writing tool that helps users improve their writing by offering grammar, punctuation, spelling checks and other writing tips to more than 30 million daily users.

Vidio is an online video streaming platform with 100 million monthly active users. And Bukalapak is one of Indonesia's largest and most prominent eCommerce platforms, with more than 150 million monthly users.

Salt Security Suspects More Danger Lurks

Yaniv Balmas, Salt Security's vice president of research, said "we expect that thousands of other websites are vulnerable to the attack we detail in our latest research, putting billions of additional internet users at risk."

Salt Security's Yaniv Balmas

"While OAuth is well-designed, and while the major OAuth providers, such as Google, Facebook and others have very secured servers, issues are often found at the side of the service implanting OAuth," he said. "It is very easy for anyone to add social-login functionality to their website, whether by implementing it themselves, or using third-party solutions. However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users."

Web services who wish to implement social-login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused, Balmas said.

"They can also use third-party tools that monitor for anomalies and deviations from normal, which may identify yet unknown attacks and provide a safety net ensuring the safety of their users," he said.

Salt Security's findings should be "very interesting" to anyone, even if they know little about OAuth, APIs or how social logins work, Balmas said.

"Each one of us logs in to dozens of web services on a daily basis," he said. "The issues we found affect more than 1 billion users who might have found their accounts breached had this issue been found by other, less friendly parties."