OAuth Vulnerabilities in Popular Online Services Allowed Account Takeovers

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

Salt Security in its third and final segment of identifying issues in the implementation of OAuth framework, revealed flaws in social login mechanisms of popular services like Grammarly, Vidio, and Bukalapak.

The research identified weaknesses in the access token verification process of the social sign-in option part of OAuth protocol. If exploited, these vulnerabilities allow a hacker to not only steal user credentials but also take full control of the victim’s account. Thus, enabling an attacker to hijack sessions and commit identity thefts or financial frauds.

OAuth is a popular user authorization and authentication protocol that allows websites and web service companies to implement a simple one-click sign-in process. Users can sign into websites through their social media accounts (Google and Facebook).

However, for a secure implementation process, it is essential that websites verify the provided access token, something that many online service providers failed to do. Salt Security demonstrated this vulnerability via an experiment, wherein they inserted a token from another site as a verified token. This technique known as ‘’Pass-The-Token Attack’’ allowed its researchers to gain complete control over a user’s account.

Although, this experiment identified the vulnerabilities found in social login-in process of Grammarly, Vidio, and Bukalapak, the company stated ‘’[..] we expect that 1000s of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day.”

The researchers went on to say that the OAuth framework is well-designed and secure. The problem lies in its implementation. “We hope this series has helped educate the broader industry on the nature of potential OAuth implementation errors and how to close these API-based security gaps to better protect data and use OAuth more securely.”

Post discovery, the above-mentioned platforms were notified of these vulnerabilities. Since then, each one of them have taken steps to mitigate these security gaps.

Salt Security’s current disclosure comes just months after the company revealed flaws in the implementation of OAuth protocol by popular online services like Booking.com and Expo .

Philadelphia City Reveals Personal Data Was Compromised in May Email Hack

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

On October 20, 2023, the City of Philadelphia disclosed a security incident, wherein unknown threat actors had gained access to the city’s email accounts containing personal information of several individuals.

The breach was first discovered on May 24, 2023, when officials noticed suspicious activity in the city’s email environment. Following which, an investigation in partnership with third-party cybersecurity vendors was conducted. The ongoing investigation revealed that for two months since the first breach discovery, unauthorized actors may have not only gained access to compromised email accounts but also the information within it.

‘’We launched an investigation, [..]. However, to date, the investigation determined that between May 26, 2023, and July 28, 2023, an unauthorized actor may have gained access to certain city email accounts and certain information contained therein,’’ the notice states.

The ongoing investigation on August 22 further revealed that the compromised account may have contained protected healthcare information of the said individuals.

According to city officials, the stolen information which may vary by individual but could include demographic information like, names, address, date of birth, social security number, and other contact information. In addition it could include, health data like diagnosis and other treatment-related information, limited financial data, and claims information.

In the notice, the city also stated that upon confirmation of identity and contact information, impacted individuals would be notified via city officials. Moreover, it also revealed the implementation of several mitigation measures to prevent similar incidents in the future, including reporting the incident to the U.S. Department of Health and Human Services.

‘’As part of our ongoing commitment to information security, we are also reviewing our existing policies and procedures, implementing additional administrative and technical safeguards to further secure information in our care, and providing additional training on how to safeguard information in our email environment,’’ the notice continued.

Moreover, impacted individuals have been advised to stay vigilant and report any suspicious activity to concerned healthcare and financial organizations.