Grammarly successfully addressed vulnerabilities affecting user logins after receiving an alert from Salt Security, showcasing their commitment to user safety.
Grammarly, a widely-used typing assistant, swiftly addressed vulnerabilities that impacted user logins upon receiving a notification from a security firm about these issues.
These vulnerabilities mainly affected social sign-ins, where users employ their existing credentials from platforms like Facebook or Google to access web services. The issues stemmed from problems in implementing Open Authentication (OAuth), a common protocol.
Salt Security experts, announced Tuesday, recently discovered these vulnerabilities affecting various products, including Grammarly and the Indonesian video streaming app Vidio. They promptly informed the respective companies about the flaws.
A spokesperson representing Grammarly expressed gratitude for Salt Security’s prompt notification. Grammarly, with over 30 million daily users relying on its AI tool for spelling, grammar, and punctuation checks, acted swiftly to resolve the issue. This swift response prevented potential exploitation of the vulnerability and ensured user information remained secure.
The identified vulnerabilities had the potential to expose user credentials and allow malicious actors to gain full access to their accounts. Salt Labs, the research team of the security company, highlighted that numerous other websites using common social sign-in mechanisms may also face similar vulnerabilities, potentially putting billions of individuals worldwide at risk.
The spokesperson emphasized that the issue did not compromise any Grammarly accounts and commended the proactive involvement of third-party security experts. Furthermore, they underscored Grammarly’s commitment to transparency and resolving issues before exploitation by encouraging external security researchers to participate in their long-standing bug bounty program.
The Role of Tokens in Authentication
Salt Security’s 20-page report delves into OAuth issues. Experts point to the need for verified tokens to grant access. In cases involving Grammarly and Vidio, token validation lapses enabled Salt Labs researchers to employ their tokens, a technique called “Pass-The-Token Attack.”
Yaniv Balmas, Salt Security’s VP of Research, lauds OAuth’s robust design but highlights implementation issues, especially in Social-Login. Widespread OAuth adoption for user authorization and authentication is noted, with implications for businesses and customers.
Unfortunately, other companies in the report haven’t commented.
Salt Security previously identified similar issues affecting Booking.com in March.
Aubrey Perin of Qualys advises against social sign-ins, favoring controllable SSO solutions. However, other experts stress that OAuth problems often stem from implementation. OAuth offers credential protection in case of a website breach, but its user-friendliness can attract hackers.
John Bambenek of Netenrich highlights the importance of proper authentication for data security and the need to rectify vulnerabilities and misconfigurations. The report serves as an example for other organizations.
Related stories:
