If that website is an e-commerce platform like Bukalapak, the consumer may need billing and cost data saved of their profile. If it’s a service like Grammarly, the consumer may need delicate paperwork and so forth.
Different variations and implementation oversights
OAuth is a fancy commonplace and permits for varied implementation variants. For instance, as an alternative of utilizing redirect URLs between the location and the identification supplier, the location would possibly select to make use of the PostMessage characteristic, however the assault continues to be doable in such an implementation if the token isn’t validated.
Passing tokens through URLs is probably weak to man-in-the-middle assaults if an attacker has the flexibility to passively monitor site visitors and simply extract the OAuth token from the URL they observe. Due to this, OAuth additionally supplies a safer strategy the place the identification supplier points a one-time code as an alternative of an entry token, then the web site takes that code along with an utility secret solely itself and Fb is aware of and exchanges the code right into a token utilizing the Fb API.
Grammarly truly used this safer code-based strategy when the Salt Safety staff examined its OAuth implementation. Nonetheless, the researchers noticed the Grammarly OAuth script took requests with the entry code within the request and questioned if it might embrace a operate that takes tokens as nicely. Subsequently, they tried making requests by changing code with totally different phrases like token, facebookToken, FBtoken and totally different variations, till they discovered that access_token labored and was accepted.
In different phrases, they managed to downgrade Grammarly’s implementation to the safer variant as a result of the code to deal with tokens immediately as an alternative of code was nonetheless left within the script as an choice. And it turned out, there was no token validation step to verify for the app ID.
The Salt Safety researchers discovered different OAuth implementation flaws in main web sites previously, together with some that might have given attackers entry to Reserving.com accounts. “It is extraordinarily essential to verify your OAuth implementation is safe,” the researchers mentioned. “The repair is only one line of code away…. When OAuth is used to supply service authentication, any safety breach in it could possibly result in identification theft, monetary fraud, and entry to numerous private data together with bank card numbers, personal messages, well being data, and extra, relying on the precise service being attacked.”
