The Vulnerabilities of User Authentication Tokens and How to Protect Your Organization

It goes without saying that protecting your organization from cybercrimes is important. And this should be done from all levels, including how to properly use and protect user authentication tokens.

Upon its introduction, User Authentication Tokens were considered a boon for administrators and IT personnel looking for a simple but effective way to guarantee security for their IT infrastructure as well as the devices that are used to access networks, assets, or databases (either on-premises or remotely).

But despite the high level of security user authentication tokens provided, it was still not a perfect solution. Steps need to be taken to ensure that tokens are not compromised and subsequently used for malicious access to systems. For example, one way to improve security is by shifting the paradigm of protecting the network or building security features around an application. Instead of doing this, organizations can implement more responsive and potentially safer ways to handle authentication tokens in order to improve database security and authentication for applications.

A number of companies found out the hard way that the security measures they have installed that depended on authentication tokens were still vulnerable.

 

VULNERABILITIES EXPOSED

In 2017, the popular corporate messaging platform Slack was reported to have a vulnerability that would’ve allowed bad actors to gain access to accounts and even read archived messages. The exploit was done through the user authentication token.

The exploit was detected when an IT expert noticed a vulnerability in how Slack utilizes pop-up windows. When a Slack call is started, a pop-up window will appear as the interface for the call. But it was discovered that this pop-up window was not validating the messages that are being sent between the pop-up window and the original instance of the Slack chat app. This meant that if someone was running a malicious webpage, that said page could pretend that it is a Slack server, which would then send a fake call to the newly opened call pop-up window. Exploiting this communication vulnerability, the user authentication token could be intercepted, which would then be used to gain access to the account holder’s data, including their message archive. Fortunately, this was patched immediately after this was discovered.

This was not the only time a vulnerability in Slack’s security system was discovered. In the same year, 1,500 Slack authentication tokens were posted on Github. These were a part of the Slack integration code.

Another company that encountered security problems was the ride-hailing app Uber. In September 2019, a bug was found on Uber’s API that allowed the exploit of an application programming interface (API) endpoint that would allow cybercriminals to gain access to data, which would include PII (personally identifiable information) records and the authentication tokens of both riders and drivers. Access to the authentication tokens would allow for someone to take over a person’s Uber account. This vulnerability was also addressed and patched before it could wreak havoc on Uber’s customer and driver base.

 

THE BROKEN AUTHENTICATION PROBLEM

It is apparent that broken authentication is a looming problem for many organizations, especially those that heavily rely on this form of security to protect their network. A report published by Cybersecurity Ventures revealed that cybercrime incidents can potentially cost global damages in the amount of USD$10.5 trillion annually by 2025. That’s a 15 percent year-on-year increase over the next five years.

The financial cost of these malicious events will be near-catastrophic – the theft and destruction of data, data being held hostage, theft of intellectual assets, embezzlement, fraud, and even reputation harm, among others. We are not yet even talking about the survival of companies that can become victims of these crimes. Many companies have folded because of the harm cyber crimes have inflicted on their organization.

But despite these dangers, security is still not at a level that could adequately protect the integrity of many companies’ networks. A study released by Positive Technologies in 2019 revealed that 45 percent of web applications have weaknesses and vulnerabilities that could be traced to broken authentication.

There are many factors that contribute to this problem. First and foremost are improper or sloppy configurations of the system. Human errors are a big culprit in these issues. Systems can be configured haphazardly or worked on by IT personnel who may not have extensive experience to correctly do their job. From the coding level, errors could also crop up because of sloppy work and not having adequate quality controls to ensure that vulnerabilities are searched for and fixed.

Human errors can also be attributed to the users themselves. A study conducted by the National Cyber Security Centre in Great Britain found that an astonishing 23.2 million separate cases of people used “123456” as their chosen password. Then there are other easy-to-guess passwords like the names of sports teams, and the now much-parodied use of the word “password” as the password.

 

PROTECTING YOUR ORGANIZATION

One factor that needs to be addressed to protect your organization’s safety and security is the way that tokens are managed.

One of the more overlooked aspects of good user authentication token management is the expiration time. Ideally, the validity of tokens needs to be refreshed often. One common mistake is that token validity stays for a long time. By implementing long expirations it becomes easy for cybercriminals to use that time to exploit vulnerabilities in the network.

Depending on what your organization needs you could implement Idle, Absolute, or Renewal token expiration techniques. Another good idea would be to ask users to re-authenticate especially if the nature of the business or step that needs to be taken in the network is of a sensitive nature.

Your organization’s security and the data contained within it should be kept safe at all times. While using security features like user authentication tokens is a great idea, it’s only as useful or as effective as how well you’re implementing it in your organization or business. Always be aware of how you implement these security policies and ensure that you are following best practices so that you can reduce your risks of mishandled security from user authentication tokens.

Techvera icon

Written by Daniella Asaf

July 20, 2021

You May Also Like…

Addressing Gender Bias in Tech

Addressing Gender Bias in Tech

More women than ever before are getting degrees in Science, Technology, Engineering, and Mathematics (STEM) fields....