Security flaws in the implementation of the OAuth authentication standard left hundreds of millions of users to at least three popular online sites exposed to possible account takeover by bad actors, according to researchers at Salt Security.

The vulnerability resulting from how OAuth (Open Authorization) is integrated into web services platforms is the latest uncovered by the seven-year-old API security startup, which in separate reports earlier this year detailed issues related to Booking.com and the Expo framework used by online site to implement the standard.

The latest report his week takes a look at Grammarly, Vidio, and Bukalapak, an ecommerce platform in Indonesia with 150 million users. However, the Salt researchers noted that while they looked at those three sites to illustrate the latest implementation flaw, they suspect that thousands of other websites also are vulnerable to the same attack.

OAuth is used by such companies as Google, Amazon, Facebook and Microsoft, its popularity driven in party by how easy it is to implement a social login, a form of single sign-on (SSO) that allows for cross-platform authentication via a user’s social network service. When a user wants to sign onto a site for the first time, they may be asked if they want to log in through Facebook or Google.

One of the reasons for its huge popularity is its ease of implementation. Developers can use OAuth to implement a social login for a web service. But that simplicity can be deceiving – behind the scenes, OAuth is quite complex. It comprises many moving parts, and lots of little features are responsible for making everything work, according to Aviad Carmel, a security researcher with Salt.

However, the simplicity implied by all this is deceiving, Carmel wrote in the report, adding that “behind the scenes, OAuth is quite complex. It comprises many moving parts, and lots of little features are responsible for making everything work.”

“The OAuth protocol itself is indeed correctly designed and is secure by nature,” he wrote. “However, to use it with a web service requires integrating it into that service’s existing platform, which is where the trouble starts. … All the security gaps identified by Salt Labs rendered major online services susceptible to credentials leakage, allowing complete account takeover, which, in the wrong hands, could have led to identity theft, financial fraud, access to credit cards, and many other perils.”

Token Verification is Key

Salt found that the problems for both Vidio, an online video streaming platform with more than 100 million users, and Bukalapak centered around token verification.

When a user wants to log into a new site using their Facebook account and gives the site permission to access that account to read their email address for verification, a secret token is created by Facebook, the new site reads the token from a URL and uses it to talk directly to Facebook using an API.

For both Vidio and Bukalapak, because there’s no token verification, attackers can hijack the token by inserting a token from another site and take control of the user’s account. From there, they can access the user’s personal and financial data.

Code Instead of Tokens

For Grammarly, which has 30 million daily users, the problem was slightly different. With social login from Grammarly, Facebook uses code rather than a token, with an HTTP POST request sent to Grammarly to authenticate using a secret code.

Because of this, an attack based on reusing a token won’t work with Grammarly. However, attackers could substitute the word “code” in the POST request with “access_token” from a malicious site and get access to the account.

Carmel noted that all three companies made fixes to the vulnerability after being contacted by Salt, shutting down the problems the security vendor found, but implementation of OAuth remains a concern.

“There are great security benefits moving to an SSO infrastructure, or using common SSO-like services, such as OAuth,” John Bambenek, principal threat hunter with cybersecurity firm Netenrich, said in an email. “The same reason these solutions are attractive to organizations make them attractive to attackers because they understand that the only real perimeter to sensitive data isn’t firewalls or gateways, it is identity and authentication.”

Others said social login is a problem.

It might be convenient, but social login “should be avoided and discourage by organizations,” Aubrey Perin, lead threat intelligence analyst at cloud-security and compliance company Qualys. “Instead, organizations should leverage single sign on (SSO) solutions that they can control and audit as part of their comprehensive Identity Access Management policies and programs.”