Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.


IBM’s X-Force Application Security Research team says hackers can easily exploit social logins using Facebook or LinkedIn to gain access to another site, like SlashDot.org and Nasdaq.com.

The attack, called “Spoofed-Me,” allows hackers to impersonate a victim by using the “Sign-in with” function that many sites offer users in lieu of registration. IBM’s research team used LinkedIn to demo the attack. They first created a new LinkedIn using the victim John Doe’s email address. While the account was pending verification of John Doe’s email address, IBM used the spoofed LinkedIn account to login onto John Doe’s SlashDot account.

Blog_Social_Login_Illustration_Attack

The exploit is shockingly simple. The vulnerability emerged on some social login providers like LinkedIn, Amazon, and Mydigipass. IBM says that LinkedIn responded quickly and fixed the issue when alerted to the flaw. Among sites susceptible to the attack are Nasdaq, SlashDot, and SpiceWorks, but IBM notes that the attack can only work if the victim’s email is not already registered with the social login provider being used.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.

Register Here

“There could be thousands of websites vulnerable to this attack but it’s hard for us to determine which are. The vulnerability is two-fold and relies on a website to have an unpatched vulnerability AND use a vulnerable social login provider thus not all are vulnerable,” the company said to me in an email. IBM’s researchers recommend that all sites that offer social login capabilities review their processes and make sure they aren’t vulnerable to the hack. In terms of mitigation, IBM says developers can ask users for more proof of ownership of an existing account or prevent attacks by not allowing social logins with unverified email addresses.

Researchers say they worry this vulnerability could lead to malicious actors being able to pose as the executive of a company on social forums and release false information meant to manipulate stock price. The same type of attack could affect politicians and others in the public eye. Moreover, someone impersonating a celebrity could use their privileged position to get other unsuspecting users to download malware.

Below is a video demonstration of the exploit, and you can see the full explanation of the attack here.

 

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.