HomeVulnerabilityFailure to confirm OAuth tokens allows account takeover on web sites

Failure to confirm OAuth tokens allows account takeover on web sites

If that web site is an e-commerce platform like Bukalapak, the person might need billing and fee data saved of their profile. If it’s a service like Grammarly, the person might need delicate paperwork and so forth.

Different variations and implementation oversights

OAuth is a posh customary and permits for varied implementation variants. For instance, as an alternative of utilizing redirect URLs between the location and the identification supplier, the location may select to make use of the PostMessage function, however the assault continues to be doable in such an implementation if the token isn’t validated.

Passing tokens through URLs is probably susceptible to man-in-the-middle assaults if an attacker has the flexibility to passively monitor visitors and simply extract the OAuth token from the URL they observe. Due to this, OAuth additionally supplies a safer strategy the place the identification supplier points a one-time code as an alternative of an entry token, then the web site takes that code along with an utility secret solely itself and Fb is aware of and exchanges the code right into a token utilizing the Fb API.

See also  Port shadow: One more VPN weak point ripe for exploit

Grammarly truly used this safer code-based strategy when the Salt Safety staff examined its OAuth implementation. Nonetheless, the researchers noticed the Grammarly OAuth script took requests with the entry code within the request and puzzled if it could embody a perform that takes tokens as nicely. Subsequently, they tried making requests by changing code with totally different phrases like token, facebookToken, FBtoken and totally different variations, till they discovered that access_token labored and was accepted.

In different phrases, they managed to downgrade Grammarly’s implementation to the safer variant as a result of the code to deal with tokens immediately as an alternative of code was nonetheless left within the script as an possibility. And it turned out, there was no token validation step to examine for the app ID.

The Salt Safety researchers discovered different OAuth implementation flaws in main web sites previously, together with some that might have given attackers entry to Reserving.com accounts. “It is extraordinarily essential to verify your OAuth implementation is safe,” the researchers mentioned. “The repair is only one line of code away…. When OAuth is used to offer service authentication, any security breach in it could actually result in identification theft, monetary fraud, and entry to numerous private data together with bank card numbers, personal messages, well being data, and extra, relying on the particular service being attacked.”

See also  Lacework provides a number of extensions to its multicloud security platform
- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular