The holiday shopping frenzy is upon us, with consumers taking to the internet in droves to find cyber-deals (and avoid the crowds at the malls). But a fresh danger is lurking for e-commerce aficionados: IBM has uncovered a vulnerability in social log-in services provided by Amazon and LinkedIn, dubbed SpoofedMe.
IBM's X-Force Application Security Research Team found that the flaw allows an attacker to use one of the most common ways people authenticate who they are in social media conversations to impersonate them.
Social login is a popular mechanism that offers a convenient way for users to quickly gain access to their web accounts without the need to enter per-site credentials—most of us have seen the “log in with Facebook” message on a site, for instance.
SpoofedMe allows cybercriminals to register a spoofed account within a vulnerable identity provider using the victim’s email address. Then, without having to actually confirm ownership of the email address, the attacker will log in to the relying website using social login with this fake account. The relying website will check the user details asserted from the identity provider and log the attacker in to the victim’s account based on the victim’s email address value.
The scenarios for using this attack are numerous. For instance, an attacker could pose as the CEO or other executive in a stock forum or other public website sharing data meant to drop the price of the stock so that financial criminals could reap the benefits.
It could also be used for malware launching: an attacker can use the reputation of a prominent developer or celebrity to post links in public forums that can install malware on unsuspecting users' machines.
Or, an operative for a political group or extremist organization can post controversial materials, photos or video using the identity of a political opponent aiming to defame them. Also, extremist groups could use the same tactic to incite a revolt or riot aimed to disrupt the government.
IBM noted that there have already been real-world attacks via the flaw. For instance, LinkedIn’s “Sign In With LinkedIn” service was vulnerable—and a partial list of vulnerable third-party websites that also rely on LinkedIn include Nasdaq.com, Slashdot.org, Crowdfunder.com and Spiceworks.com.
“LinkedIn’s security team followed our suggestion and fixed the issue by not allowing social login requests that include the email field to continue, in case the email is not verified,” IBM noted, adding that web developers can follow mitigation steps to fix the issue.