Flaws in social login mechanisms are leaving thousands of websites and a billion of their users vulnerable to account takeovers, API security company Salt Security warns.
The latest research by Salt Security identified flaws in the access token verification step of the social sign-in process, part of the OAuth implementation on these websites.
OAuth is a popular authentication protocol that allows users to log in to websites and apps using their existing social media accounts, such as Google or Facebook. However, if a website does not properly verify the access token, an attacker could insert a token from another site and gain access to the user’s account.
The researchers were able to exploit these vulnerabilities on three popular websites: Grammarly, Vidio, and Bukalapak. They were able to gain access to user accounts on these websites and perform any action on behalf of that user.
The researchers believe that thousands of other websites are also vulnerable to these attacks. They urge users to be cautious when using social login and to only use social login on websites that they trust.
Here are some tips for users to protect themselves from account takeover attacks:
Businesses can take the following steps to protect their users from account takeover attacks: