SpoofedMe - A Social Login Attack Discovered by IBM Researchers You Ought To Know About
Logging in from popular social networking sites like Facebook, Google+, LinkedIn etc. is probably the most convenient way to use the resources of your favourite website. However, how safe it is to use such social logins is now a question. IBM X-Force’s Application Security Research Team have discovered an attack-SpoofedMe which allows a hacker to intrude into a user account on a website by abusing social login. Once the access is gained, the attacker has full control over the victim’s account including managing personal information, spamming etc.
The above included image shows how the attack could be carried out. For an instance, an attacker could intrude into Slashdot.org by logging in via LinkedIn. However, LinkedIn quickly responded to the vulnerability and fixed the issue after the attack was disclosed. In order to perform the attack, a criminal creates a fake account using victim’s email address. The, without having to confirm the ownership of the address, the criminal can login to the relying website via social login. The relying website then checks the user details and log the attacker into the victim’s account using victim’s email address. Or Peles, an X-Force security researcher explained the combination of flaws required to carry out the attack. One is the vulnerability in the social login identity providers which is found in Amazon, LinkedIn and MYDIGIPASS. Another is the design issue present in the affected relying website.
LinkedIn and Amazon social login services were vulnerable. However it is believed that the issue is now fixed and these identity providers allows the access only when the email address is verified. Another service MYDIGIPASS.com Secure Login, though it uses two-factor authentication was vulnerable. The team too has fixed the issue and supplies email field to its relying websites when the user’s email address is verified.
Following is the video released by IBM Security Systems demonstrating the hack when the LinkedIn vulnerability wasn’t fixed.
Source: SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers
The above included image shows how the attack could be carried out. For an instance, an attacker could intrude into Slashdot.org by logging in via LinkedIn. However, LinkedIn quickly responded to the vulnerability and fixed the issue after the attack was disclosed. In order to perform the attack, a criminal creates a fake account using victim’s email address. The, without having to confirm the ownership of the address, the criminal can login to the relying website via social login. The relying website then checks the user details and log the attacker into the victim’s account using victim’s email address. Or Peles, an X-Force security researcher explained the combination of flaws required to carry out the attack. One is the vulnerability in the social login identity providers which is found in Amazon, LinkedIn and MYDIGIPASS. Another is the design issue present in the affected relying website.
LinkedIn and Amazon social login services were vulnerable. However it is believed that the issue is now fixed and these identity providers allows the access only when the email address is verified. Another service MYDIGIPASS.com Secure Login, though it uses two-factor authentication was vulnerable. The team too has fixed the issue and supplies email field to its relying websites when the user’s email address is verified.
Following is the video released by IBM Security Systems demonstrating the hack when the LinkedIn vulnerability wasn’t fixed.
Source: SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers
Replies
-
karanam kumar sai suryawow...nice article man.Hacking always interesting
You are reading an archived discussion.
Related Posts
I am searching in google after professors websites or articles \ papers or video lectures in very accurate motors (1 nanometer), that use the principles of piezoelectric and ceramic motor...
Hi this is Vineesh.
Native kerala, residing in Pune now.
I am a mechanical Engineer.
Employed as design Engineer
My aim in life is to make a name for myself.....
Lenovo has today announced Tab S8 (under the S series), a voice calling tablet in the Indian market. The Chinese mobile manufacturing company had unveiled the tablet at IFA earlier...
Howdy folks,
Though we are already a week into the month of December 2014, it feels great to announce the 'Best Discussion of the Month' contest. I wrote it's back,...
Hello everybody,
I came through this site few days back, when I was looking for something creative to do. I participated in the competition ''Engineering for Change in India" and...