• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
critical oauth flaws uncovered in grammarly, vidio, and bukalapak platforms

Critical OAuth Flaws Uncovered in Grammarly, Vidio, and Bukalapak Platforms

You are here: Home / General Cyber Security News / Critical OAuth Flaws Uncovered in Grammarly, Vidio, and Bukalapak Platforms
October 25, 2023

Critical security flaws have been disclosed in the Open Authorization (OAuth) implementation of preferred on the internet companies such as Grammarly, Vidio, and Bukalapak, building upon earlier shortcomings uncovered in Scheduling[.]com and Expo.

The weaknesses, now resolved by the respective firms next liable disclosure between February and April 2023, could have authorized destructive actors to obtain access tokens and probably hijack consumer accounts.

OAuth is a common that is typically utilized as a system for cross-application access, granting web sites or apps obtain to their info on other internet websites, these kinds of as Fb, but devoid of supplying them the passwords.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Cybersecurity

“When OAuth is utilized to present assistance authentication, any security breach in it can lead to identification theft, financial fraud, and obtain to many individual details which include credit card quantities, personal messages, well being information, and much more, depending on the specific services currently being attacked,” Salt Security researcher Aviad Carmel claimed.

The challenge identified in Vidio stems from an absence of token verification, which means an attacker can use an access token created for a different Application ID, a random identifier produced by Fb for each software or web site that gets registered in its developer portal.

OAuth Flaws

In a potential attack circumstance, a menace actor could generate a rogue web site that offers a sign-in option as a result of Fb to acquire the accessibility tokens and subsequently use them versus Vidio.com (which has the Application ID 92356), thereby allowing full account takeover.

The API security business stated it also found out a equivalent issue with token verification on Bukalapak.com through Fb login that could end result in unauthorized account obtain.

Cybersecurity

On Grammarly, it emerged that when users attempt to login to their accounts making use of the “Indicator in with Facebook” solution, an HTTP Post ask for is despatched to auth.grammarly[.]com to authenticate them using a secret code.

As a result, whilst Grammarly is not susceptible to a token reuse attack like in the circumstance of Vidio and Bukalapak, it is however susceptible to a unique kind of trouble whereby the Write-up ask for can be altered to substitute the magic formula code with an access token attained from the aforementioned destructive web-site to obtain accessibility to the account.

“And like with the other web pages, the Grammarly implementation did not conduct token verification,” Carmel said, adding, “an account takeover would give an attacker accessibility to the victim’s stored files.”

Observed this post exciting? Follow us on Twitter  and LinkedIn to read through much more exclusive written content we write-up.


Some elements of this article are sourced from:
thehackernews.com

Previous Post: «the rise of s3 ransomware: how to identify and combat The Rise of S3 Ransomware: How to Identify and Combat It
Next Post: Nation State Hackers Exploiting Zero-Day in Roundcube Webmail Software nation state hackers exploiting zero day in roundcube webmail software»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.