The researchers at IBM’s X Force security discovered a way to gain access to Web accounts by exploiting misconfiguration in some social login services.
Social login, also known as social single sign-in, is a form of single sign-on using existing credentials from a social networking service such as Facebook, Twitter or Google+ to access a third party web service. The Social login improve the user’s experience, simplifying logins for the authentication process.
Social login is often implemented with the OAuth standard, websites that implement it provide the classic function “Sign In With Facebook/LinkedIn/etc.” that allow their users to login using, for example, their LinkedIn of Facebook credentials.
The experts at IBM’s X Force discovered that it is possible to gain control of accounts at various websites, including Nasdaq.com, Slashdot.org, Crowdfunder.com and others by abusing LinkedIn’s social login mechanism.
As explained by Or Peles and Roee Hay of IBM Security Systems, explained that the attack that they dubbed SpoofedMe works on many other identity services.
“In short, to perform the attack, a cybercriminal registers a spoofed account within a vulnerable identity provider using the victim’s email address. Then, without having to actually confirm ownership of the email address, the attacker will log in to the relying website using social login with this fake account. The relying website will check the user details asserted from the identity provider and log the attacker in to the victim’s account based on the victim’s email address value.” state the blog post from IBM’s X Force
The post includes a video PoC related to an attack that abuses LinkedIn to spoof an account on the vulnerable identity provider. The attacker creates an account with LinkedIn, using the victim’s email address. LinkedIn will send a verification email to the victim’s account to ensure the he has control of the email address provided in the account creation.
Once the attacker has created the LinkedIn account he will use it to login in Slashdot through the social login feature, selecting LinkedIn as the identity provider. The problem is that the identity providers don’t pass the user’s credentials to the third party site, transferring only information such as an email address.
LinkedIn, Amazon and Vasco, all identity providers, have all either fixed or taken measures to prevent such account takeovers, after notification from IBM, the researchers said. But the problem is one that both identity providers and third-party websites using those services should be aware of.
The attack that abuses LinkedIn is demonstrated in a video included in a blog post. The attacker creates an account with LinkedIn, using the victim’s email address.
LinkedIn will send a verification email to the victim to ensure the person has control over the address. But for the attacker’s purposes, that doesn’t matter.
Once the LinkedIn account is created, the attacker goes to Slashdot and uses the social login feature, selecting LinkedIn as the identity provider. Identity providers don’t pass along with a person’s credentials to the third party site, but do transfer information such as an email address.
The Slashdot.org website then checks the email address of the victim that was passed to it by LinkedIn to the existing account, allowing the attacker to control the account. The account could then be used to post malicious links, with people believing a trusted contact posted the content.
Be aware, the attack will work only if the victim doesn’t already have an account with an identity provider. The flaws in the social login process are:
The experts explained LinkedIn resulted vulnerable because it used a deprecated version of the OAuth protocol for social login. LinkedIn could also use the OAuth 2.0, which is not affected by a flaw in the authentication process.
The problem is that the majority of websites analyzed by the experts uses the vulnerable version of LinkedIn as an identity provider.
The researchers discovered a similar security issue in the Amazon social login implementation. LinkedIn, Amazon and Vasco have already fixed the flaw after notification from IBM.
(Security Affairs – Social login, OAuth)