IBM’s X-Force Application Security Research team says hackers can easily exploit social logins using Facebook or LinkedIn to gain access to another site, like SlashDot.org and Nasdaq.com.
The attack, called “Spoofed-Me,” allows hackers to impersonate a victim by using the “Sign-in with” function that many sites offer users in lieu of registration. IBM’s research team used LinkedIn to demo the attack. They first created a new LinkedIn using the victim John Doe’s email address. While the account was pending verification of John Doe’s email address, IBM used the spoofed LinkedIn account to login onto John Doe’s SlashDot account.
The exploit is shockingly simple. The vulnerability emerged on some social login providers like LinkedIn, Amazon, and Mydigipass. IBM says that LinkedIn responded quickly and fixed the issue when alerted to the flaw. Among sites susceptible to the attack are Nasdaq, SlashDot, and SpiceWorks, but IBM notes that the attack can only work if the victim’s email is not already registered with the social login provider being used.
“There could be thousands of websites vulnerable to this attack but it’s hard for us to determine which are. The vulnerability is two-fold and relies on a website to have an unpatched vulnerability AND use a vulnerable social login provider thus not all are vulnerable,” the company said to me in an email. IBM’s researchers recommend that all sites that offer social login capabilities review their processes and make sure they aren’t vulnerable to the hack. In terms of mitigation, IBM says developers can ask users for more proof of ownership of an existing account or prevent attacks by not allowing social logins with unverified email addresses.
Researchers say they worry this vulnerability could lead to malicious actors being able to pose as the executive of a company on social forums and release false information meant to manipulate stock price. The same type of attack could affect politicians and others in the public eye. Moreover, someone impersonating a celebrity could use their privileged position to get other unsuspecting users to download malware.
Below is a video demonstration of the exploit, and you can see the full explanation of the attack here.