Some of the most popular websites around have a serious security login flaw

Password Security
Bästa tjänsterna för lösenordshantering (Image credit: Shutterstock)

Cybersecurity experts have uncovered a potential way for hackers to take over user accounts on popular websites serving hundreds of millions of users. With the stolen accounts, the hackers could do all kinds of cyberattacks, from social engineering, to wire fraud, to phishing, and more. 

This is according to cybersecurity researchers from Salt Security, who discovered an API security vulnerability in the social sign-in and Open Authentication (OAuth) implementation. 

Social sign-in allows users to create, and log into, accounts on various platforms, using their social media accounts where they’re already logged in. Users can choose to log in using their Google account, Facebook account, Twitter, Apple, and more - all with a single click. 

Pass the token

The flaw itself was found in the verification step for the access token. When logging in, OAuth needs one such token, and if the site fails to verify it, hackers can insert a different one and gain access to the account. The researchers call this technique “Pass-The-Token-Attack.”

As per the report, three major websites were found vulnerable to the attack: Grammarly, Vidio, and Bukalapak. 

The latter is an Indonesian eCommerce platform with more than 150 million active monthly users. Vidio is an online video streaming platform with 100M monthly active users and offers a wide range of content such as movies, TV shows, live sports, and original productions. Grammarly is a grammar and spell-checker with more than 30 million active daily users. While these numbers might sound extremely large, the researchers warn that it’s probably that thousands of other websites are using the same social sign-in mechanisms, and as such are vulnerable in the same way. The conclusion is that hundreds of millions, if not billions of user accounts, are at risk. 

After finding the flaw, Salt reached out to these three websites, all of which remedied the vulnerability prior to the publication of the announcement.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.