A new vulnerability has been highlighted whereby an attacker can abuse social logins to hijack a person’s social media account, and then access info, post spam messages and so forth.
The flaw, which was highlighted by IBM X-Force’s Application Security Research Team (via Time), affects the social login mechanism on third-party sites which allow users to use their Facebook, LinkedIn or similar account to log in for convenience.
This login can be abused, however, with an attack IBM X-Force has named “SpoofedMe” that works against some social login identity providers, with LinkedIn and Amazon being named by the security researchers. The flaw also requires the website which hosts the social login to rely on the identity provider to verify the user’s identity.
Also, for the attack to be successful, the victim’s email address cannot already be used by an existing account at the identity provider.
How does the attacker pull the stunt off? IBM X-Force explains that he (or she) first registers a false account with the vulnerable identity provider using the victim’s email. The attacker can then log in using this spoofed account via the social login on the third-party website – with the site logging the attacker into the victim’s account simply based upon verification of the correct email address.
There’s no need for the attacker to confirm ownership of the email account to gain access – and while the victim will receive an “email verification request”, unless they see that immediately, and take immediate action, it’s unlikely they will be able to prevent the attacker from gaining access to their account.
For the full details, see the IBM X-Force post on this matter, which shows an example of Slashdot and LinkedIn being worked over by this vulnerability – though LinkedIn has since fixed the issue, thankfully.
On the subject of mitigation, IBM X-Force notes: “We strongly recommend that developers of both websites that use social login and future identity providers follow the Mitigation section in our white paper. While fixing the identity provider vulnerability would be enough for this attack to be blocked (attack Stage 4 won’t be reached), it is important for websites that are vulnerable to fix the website design problem because it may expose their users to similar attacks.”