Blogs

Social login flaws put billions of users at risk of account takeover

Flaws in social login mechanisms are leaving thousands of websites and a billion of their users vulnerable to account takeovers, API security company Salt Security warns.

The latest research by Salt Security identified flaws in the access token verification step of the social sign-in process, part of the OAuth implementation on these websites.

OAuth is a popular authentication protocol that allows users to log in to websites and apps using their existing social media accounts, such as Google or Facebook. However, if a website does not properly verify the access token, an attacker could insert a token from another site and gain access to the user’s account.

The researchers were able to exploit these vulnerabilities on three popular websites: Grammarly, Vidio, and Bukalapak. They were able to gain access to user accounts on these websites and perform any action on behalf of that user.

The researchers believe that thousands of other websites are also vulnerable to these attacks. They urge users to be cautious when using social login and to only use social login on websites that they trust.

What can users do to protect themselves?

Here are some tips for users to protect themselves from account takeover attacks:

  • Be careful about which websites you use social login on. Only use social login on websites that you trust.
  • Enable two-factor authentication (2FA) on all of your accounts, including your social media accounts. 2FA adds an extra layer of security to your accounts, making it more difficult for attackers to gain access.
  • Keep your software up to date. Software updates often include security patches that can help to protect you from known vulnerabilities.
  • Be careful about what links you click on and what attachments you open. Phishing emails are a common way for attackers to steal your login credentials.

What can businesses do to protect their users?

Businesses can take the following steps to protect their users from account takeover attacks:

  • Properly verify access tokens before granting access to user accounts.
  • Implement 2FA for all of your users.
  • Keep your software up to date.
  • Educate your users about phishing attacks and other social engineering scams.
Scroll to top