SpoofedMe attacks exploit popular websites social login flaws

The experts at IBM have found several problems in implementation of the social login authentication of several identity providers.

The researchers at IBM’s X Force security discovered a way to gain access to Web accounts by exploiting misconfiguration in some social login services.

Social login, also known as social single sign-in, is a form of single sign-on using existing credentials from a social networking service such as Facebook, Twitter or Google+ to access a third party web service. The Social login improve the user’s experience, simplifying logins for the authentication process.

Social login is often implemented with the OAuth standard, websites that implement it provide the classic function “Sign In With Facebook/LinkedIn/etc.” that allow their users to login using, for example, their LinkedIn of Facebook credentials.

The experts at IBM’s X Force discovered that it is possible to gain control of accounts at various websites, including Nasdaq.com, Slashdot.org, Crowdfunder.com and others by abusing LinkedIn’s social login mechanism.

As explained by Or Peles and Roee Hay of IBM Security Systems, explained that the attack that they dubbed SpoofedMe works on many other identity services.

“In short, to perform the attack, a cybercriminal registers a spoofed account within a vulnerable identity provider using the victim’s email address. Then, without having to actually confirm ownership of the email address, the attacker will log in to the relying website using social login with this fake account. The relying website will check the user details asserted from the identity provider and log the attacker in to the victim’s account based on the victim’s email address value.” state the blog post from IBM’s X Force

The post includes a video PoC related to an attack that abuses LinkedIn to spoof an account on the vulnerable identity provider. The attacker creates an account with LinkedIn, using the victim’s email address. LinkedIn will send a verification email to the victim’s account to ensure the he has control of the email address provided in the account creation.

Once the attacker has created the LinkedIn account he will use it to login in Slashdot through the social login feature, selecting LinkedIn as the identity provider. The problem is that the identity providers don’t pass the user’s credentials to the third party site, transferring only information such as an email address.

LinkedIn, Amazon and Vasco, all identity providers, have all either fixed or taken measures to prevent such account takeovers, after notification from IBM, the researchers said. But the problem is one that both identity providers and third-party websites using those services should be aware of.

The attack that abuses LinkedIn is demonstrated in a video included in a blog post. The attacker creates an account with LinkedIn, using the victim’s email address.

LinkedIn will send a verification email to the victim to ensure the person has control over the address. But for the attacker’s purposes, that doesn’t matter.

Once the LinkedIn account is created, the attacker goes to Slashdot and uses the social login feature, selecting LinkedIn as the identity provider. Identity providers don’t pass along with a person’s credentials to the third party site, but do transfer information such as an email address.

The Slashdot.org website then checks the email address of the victim that was passed to it by LinkedIn to the existing account, allowing the attacker to control the account. The account could then be used to post malicious links, with people believing a trusted contact posted the content.

Be aware, the attack will work only if the victim doesn’t already have an account with an identity provider. The flaws in the social login process are:

Slashdot.org shouldn’t trust the email address unless the identity provider knows it has been verified.
The identity provider shouldn’t pass user’s data until email address has been verified.

The experts explained LinkedIn resulted vulnerable because it used a deprecated version of the OAuth protocol for social login. LinkedIn could also use the OAuth 2.0, which is not affected by a flaw in the authentication process.

The problem is that the majority of websites analyzed by the experts uses the vulnerable version of LinkedIn as an identity provider.

The researchers discovered a similar security issue in the Amazon social login implementation. LinkedIn, Amazon and Vasco have already fixed the flaw after notification from IBM.

Pierluigi Paganini

(Security Affairs – Social login, OAuth)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.