14 DAY TRIAL // A serious vulnerability has been uncovered in Spiceworks application, which created an administrator account for anyone using their Facebook or LinkedIn credentials to log in.
Spiceworks is a network of 6 million IT professionals where they can exchange product reviews and publish how-tos in order to make their work easier.
The application includes features ranging from mobile device management, view all systems in the company network and setting up a help desk service. Recently, Spiceworks introduced the social sign-in capability, which has been available for the online portal for quite a while.
Vulnerability has been reproduced
The issue was discovered by Spiceworks community member Darren K. Smith in the latest version of the application (7.4.00065) and could be exploited when authenticated on the login page for administrators.
Verification engineer at Spiceworks Joseph Griffin said on Tuesday that the glitch was replicated and that the security issue “requires immediate attention,” a fix being planned for this week.
Security flaw is serious, community and developer agree
His reply was edited as it initially downplayed the severity of the issue saying that “I wouldn't use the word major in regards to this vulnerability.” The poor wording of the response was explained in a later post as referring to a scenario where damage would result from outside intrusions only.
“I was simply trying to identity the scope of the issue in relation to hackers being able to access your information, not the severity of the issue itself,” Griffin explained.
The standpoint of the users, however, was that anyone in the company with malicious intentions could use an alternate Facebook or LinkedIn account to log in as an administrator and wreak havoc in the system, deleting accounts or changing passwords.
Spiceworks’ answer to the issue was to completely disable social sign-in in the application until an updated version containing a fix becomes available.
Those being locked out of the Spiceworks account will have to reset their password in order to regain access.