Grammarly says it corrected sign-in vulnerabilities after alert from cyber researchers

Popular typing assistant Grammarly said it has fixed vulnerabilities affecting user logins after being notified by a security company of the issues.

The bugs affected social sign-in — when someone accesses a web service through their existing credentials for a platform like Facebook or Google — and were caused by issues with implementations of Open Authentication (OAuth), a common protocol.

Experts at Salt Security announced Tuesday they discovered such flaws affecting multiple products — including Grammarly and Indonesia video streaming app Vidio — and notified the companies.

A spokesperson for Grammarly said they were grateful that Salt Security alerted the company about the issues. More than 30 million people use the AI tool daily to review spelling, grammar and punctuation.

“Our engineering team immediately addressed the issue so that the vulnerability could not be exploited, and that we could continue to keep our users and their information safe,” they said.

The flaws could have allowed for Grammarly and other affected apps to leak people’s credentials and enabled attackers to fully take over accounts. Salt Labs, the security company’s research team, noted that thousands of other websites using widely seen social sign-in mechanisms are likely vulnerable to the same type of attack, putting billions of individuals around the globe at risk.

No Grammarly accounts were compromised by the issue, the spokesperson said, and the company welcomed the activity by third-party experts.

“As part of our commitment to transparency and dedication to resolving issues before they can be exploited, we encourage and invite external security researchers to participate in our long-standing bug bounty program,” they said.

‘Pass the token’

Salt Security published a 20-page report explaining the issues with OAuth. The experts said that the protocol needs a verified token to approve access. Grammarly and Vidio failed to verify the token, allowing Salt Labs researchers to insert their own token from another site and use it to gain access to user accounts.

They call the technique “Pass-The-Token Attack.”

Yaniv Balmas, vice president of research at Salt Security, told Recorded Future News that OAuth is well-designed and does not contain obvious points of failure.

“However most of the issues we found were related to the way OAuth is implemented by the various parties using it. Social-Login is super-useful and as a web service, it’s very easy to implement at the basic level, however without the proper knowledge and awareness this also quite often leaves the door wide open for risking the entire user base,” Balmas said.

“OAuth is one of the fastest adopted technologies in the AppSec domain and has quickly become one of the most popular protocols for both user authorization and authentication. The Salt Labs research illustrates the potential impacts that OAuth implementation issues can have on a business and its customers.”

The other companies named in the report did not respond to requests for comment.

Salt Security, which focuses on API security, uncovered similar issues in March affecting online travel agency giant Booking.com.

Qualys threat intelligence analyst Aubrey Perin said social sign-ins “should be avoided and discouraged by organizations” in favor of single sign on (SSO) solutions that can be controlled and audited.

Other experts were more forgiving, noting that the issues with OAuth almost always revolve around how it is implemented. Keeper Security’s Patrick Tiquet explained that one benefit of using OAuth to create accounts through Facebook, Twitter, Google or Apple — instead of using a password username combo —- is that your credentials are protected in case a website gets hacked.

But others noted that their ease of use may contribute to their attractiveness to hackers.

“The same reason these solutions are attractive to organizations make them attractive to attackers because they understand that the only real perimeter to sensitive data isn’t firewalls or gateways … it is identity and authentication,” Netenrich’s John Bambenek told Recorded Future News.

“Any vulnerability or misconfiguration that can lead to full account takeover is a major concern and thankfully it looks like the underlying issues in this report have been remediated and serve as an example to other organizations how and why to get this right.”