Skip to main content

OWASP Top 7 Identification and Authentication Failures

· 3 min read

Continuing our series on OWASP's top vulnerabilities; today we dive into vulnerability #7, Identification and Authentication Failures.

authfailure

OWASP #7 - Identification and Authentication

Identification and authentication failures refer to weaknesses in the mechanisms that confirm the identity of users, applications, or systems. When these processes are not properly implemented, attackers can gain unauthorized access to sensitive data or systems.

Common Issues that lead to these failures:

  1. Weak or default passwords.

  2. Broken or missing multi-factor authentication (MFA).

  3. Exposed session IDs or tokens in URLs.

  4. Improper session management (e.g., sessions not expiring or being invalidated after logout).

  5. Brute-force attacks due to lack of rate limiting or account lockout.

How to mitigate identification and authentication failures?:

  1. Enforce strong password policies and MFA.

  2. Securely store credentials using bcrypt or Argon2.

  3. Use secure, random session tokens with proper expiration.

  4. Implement rate limiting and monitoring for login attempts.

  5. Never expose sensitive authentication data in URLs or logs.

What are the consequences of poor identification and authentication practices?:

  1. Bad actors can impersonate users or administrators.

  2. Sessions can be hijacked and maliciously affected.

  3. Authentication can be bypassed entirely and nefarious actions can be taken.

Facebook’s Session Token Exposure (2018)

In September 2018, Facebook disclosed a serious security breach that compromised the accounts of nearly 50 million users due to a flaw in its session management system. The root of the vulnerability lay in Facebook's "View As" feature, which allows users to see how their profile appears to others. A bug in this feature, combined with an unexpected interaction with Facebook's video uploader, allowed attackers to receive access tokens for the user being viewed—tokens that are meant to keep users logged in without re-entering their password.

Access tokens function like digital keys. Once an attacker had a user’s token, they could access that person’s account as if they were logged in, without needing to know the password or trigger any suspicious login alerts. Worse, attackers could automate the process to scale the attack and collect more tokens by chaining requests through the "View As" feature. By the time the breach was discovered, attackers had likely been exploiting the vulnerability for over a year, making it one of the largest security incidents in Facebook’s history.

Facebook responded by fixing the bugs, resetting access tokens for 90 million users, and temporarily disabling the "View As" feature. The breach prompted criticism from regulators and privacy advocates, especially in Europe under the newly enforced GDPR. It served as a wake-up call about the dangers of broken authentication and session management, emphasizing the importance of properly securing session tokens, minimizing token exposure in front-end code, and rigorously testing features that interact with authentication systems.