Critical API Security Vulnerabilities Found in OAuth Implementations of Popular Platforms

Salt Security’s recent research has uncovered critical API security vulnerabilities in the OAuth protocol implementations of widely used online platforms such as Grammarly, Vidio, and Bukalapak. These vulnerabilities, although now addressed, had the potential to compromise user credentials and enable full account takeovers, posing risks to billions of users.

Background on OAuth Hijacking Series

This research paper by Salt Labs marks the final chapter in their OAuth hijacking series, building upon their earlier discoveries of vulnerabilities in platforms like Booking.com and Expo. These flaws presented severe risks, including granting cybercriminals unrestricted access to user accounts, potentially resulting in unauthorized access to sensitive financial and personal information.

Impact on Users

The identified vulnerabilities exposed users to potential identity theft and financial fraud. Cyber attackers could insert a token from another site as a verified token, a technique known as a “Pass-The-Token Attack.” This technique, made possible due to the security flaws in OAuth implementations, enabled hackers to gain unauthorized access to user accounts and sensitive information, jeopardizing user privacy and security.

The platforms mentioned in the Salt Security report, namely Vidio, Bukalapak, and Grammarly, swiftly responded to the research findings and took necessary actions to resolve the security vulnerabilities raised by the researchers at Salt Labs. By addressing these vulnerabilities promptly, the platforms have demonstrated their commitment to user security and protection.

The Scale of the Issue

According to Balmas, a representative from Salt Security, the impact of these vulnerabilities was substantial, potentially affecting over a billion users. The significance of these findings cannot be overstated, as users’ accounts could have been breached had the vulnerabilities been discovered by malicious actors rather than by Salt Labs’ researchers. The proactive actions taken by the affected platforms are commendable, as they helped prevent widespread security incidents.

Introduction to OAuth and Its Design

OAuth is a widely adopted technology that simplifies the sign-in process by allowing users to log in to websites using their social media accounts. It is crucial to note that the research findings do not indicate inherent flaws in the OAuth protocol itself. In fact, OAuth is well-designed and does not exhibit obvious fail points. The flaws discovered by Salt Labs were in the specific implementations of OAuth on the affected platforms.

The research conducted by Salt Security sheds light on critical API security vulnerabilities in the OAuth protocol implementations of popular online platforms. The prompt actions taken by the affected platforms, such as Vidio, Bukalapak, and Grammarly, after being alerted by Salt Labs’ researchers, demonstrate their commitment to user security. As OAuth continues to be a widely adopted technology for user authorization and authentication, these findings highlight the importance of continuous security improvements in online platforms to safeguard user data and protect against potential unauthorized access or data breaches.

It is crucial for both developers and organizations to prioritize ongoing vulnerability assessments and robust security measures in their OAuth implementations. By doing so, they can ensure the safety and privacy of user accounts and prevent potential risks such as identity theft and financial fraud. As the digital landscape continues to evolve, it is imperative that security practices and technologies also evolve to keep pace with emerging threats, ultimately providing users with a secure online experience.

Explore more

Trintech CTO on the Future of Governed Autonomous Finance

The traditional corporate finance landscape is currently undergoing a radical transformation as the demand for instantaneous reporting clashes with the limitations of legacy manual reconciliation processes. In the modern Office of the CFO, the sheer volume of data generated by global operations has made the old ways of managing the financial close not only inefficient but also increasingly risky. Organizations

Cyberimpact Leads Canadian Email Marketing with Privacy Focus

Navigating the complexities of modern digital communication requires a delicate balance between aggressive marketing tactics and the stringent protection of consumer data privacy within the Canadian regulatory framework. Cyberimpact has carved out a distinct niche by prioritizing this balance, offering a platform specifically engineered for the unique legal and cultural landscape of Canada. While global giants often treat the Canadian

Video UGC Boosts E-commerce Conversions and Consumer Trust

A single unpolished smartphone video uploaded by a verified buyer often generates significantly more revenue than a six-figure commercial produced by a professional creative agency. This paradox defines the current landscape of digital commerce, where the traditional pillars of advertising are being replaced by the raw authenticity of user-generated content. As the market moves from 2026 to 2028, businesses are

Why Is Visual Storytelling Vital for Brand Awareness?

The current digital landscape is characterized by an unprecedented volume of information, which forces modern consumers to develop highly sophisticated filters for the content they choose to consume daily. This environmental reality means that traditional, text-heavy marketing strategies often struggle to capture attention before a user scrolls past, leading to a drop in engagement rates for many global organizations. To

How Will New Regulations Transform Buy Now, Pay Later?

The meteoric rise of interest-free deferred payment options has fundamentally altered the retail landscape, effectively turning every smartphone into a portable credit line for millions of global consumers. This rapid evolution from a niche financial tool to a cornerstone of modern shopping behavior occurred with such speed that existing regulatory frameworks struggled to maintain pace with technological innovation. Historically, providers