Vulnerability affected multiple identity providers

Dec 5, 2014 13:10 GMT  ·  By

A vulnerability in the social login process from LinkedIn, Amazon and MYDIGIPASS allowed a malicious individual unauthorized access to accounts of online services adopting this authentication mechanism, without the need of a password.

Social login authentication, also called single sign-on, consists in getting access to an online account based on information from an identity provider such as the ones mentioned above or a social network like Facebook and Google+.

Multiple websites have resorted to this authentication method in order to make the login process more secure and easier for their clients.

The attack is simple, but some conditions have to be met

Or Peles and Roee Hay, researchers at IBM’s security arm X-Force, discovered a glitch in the system that allowed spoofing the credentials of a victim to access an online account.

The attack is simple, and in their example, the social login service provided by LinkedIn was used to gain entrance into a Slashdot account.

The registration process for LinkedIn requires the client to validate the email address by launching a confirmation link sent by the service to their inbox.

The spoofing attack, dubbed SpoofedMe by the researchers, relied on the fact that the authentication token from LinkedIn for logging into a service was generated even if the provided email was not validated, making the sign-up procedure incomplete.

As such, the intruder was able to create a LinkedIn account and impersonate the victim by using their email address. If the username was already in the database, the attack was no longer possible.

Without confirming the ownership of the address, the malicious actor could then log into the website relying on the information from the identity provider. The only condition is to be signed into the LinkedIn account with the unverified email.

“The relying website will check the user details asserted from the identity provider and log the attacker in to the victim’s account based on the victim’s email address value,” Or Peles wrote in a blog post.

Identity providers have taken steps to mitigate the problem

Important to note is the fact that LinkedIn promptly replied to the disclosure of the vulnerability and repaired the issue.

Measures have been taken by Amazon too, as they appended information for developers describing how third-parties supporting their identity providing service can link local accounts correctly on their systems. A “verified email” scope is planned for the near future.

Although MYDIGIPASS.com Secure Login relies on two-factor authentication (2FA), it was also vulnerable to the SpoofedMe attack. This was possible because the attacker could use their own physical device to receive the supplementary authentication code. In this case, the problem has been corrected too, and authentication on other websites can be done only when the MYDIGIPASS email is verified.

The researchers have created a video (available below) demonstrating the SpoofedMe attack.

SpoofedMe Social Login attack (5 Images)

Stages of the SpoofedMe attack
Social Login authentication processAttacker registers on LinkedIn, the email address is not verified
+2more