A recently discovered vulnerability in social login identity providers and the websites that use them could have compromised legitimate user accounts and left them vulnerable to attackers.
Researchers with IBM's Security Intelligence blog detailed the ‘SpoofedMe' attack in a recent post. Social login providers, including LinkedIn, Amazon, and MYDIGIPASS, were all found to be vulnerable to the attack, which leverages a security lapse in account email verifications.
A user employs a social login to access a third-party website through a social media account, rather than by creating a dedicated account for that website. In these cases, the social media, or identity, provider gives the third-party website permission to access a user's details, thus making the registration process seamless and faster.
To be vulnerable to the SpoofedMe attack, a site must use an email address as a unique identifier, the post said.
“This means that claiming (using an identity provider) to own an email address is enough to log a user in to the local account that uses the same email address,” the post explained.
Additionally, a vulnerable website must allow for account linking.
“When, for the first time, a user logs in with a different identity provider (than previously used with his or her existing local account) and uses an email address that is identical to that of his or her existing account, a website could assume he or she is the owner of the account and automatically link the new identity with the existing local account without asking for any additional credentials,” the post said.
Researchers found that Nasdaq.com, Slashdot.com, Crowdfunder.com and Spiceworks.com were all vulnerable because of their “Sign In With LinkedIn” feature.
Presuming that most users registered the same email address across most websites, all an attacker needs to successfully pull off this attack is the intended victim's email. Once attackers have this information, which is often commonly available, they can begin trying to impersonate the victim.
One possible scenario would be if an intended target has an account on Nasdaq.com, but hasn't created one on LinkedIn yet. In this case, an attacker could register for LinkedIn under the target's email address. Although LinkedIn will send a verification email to the victim, the attacker can work on securing access to the Nasdaq.com account in the meantime.
As long as the newly created LinkedIn profile is open, the attacker can use the “Sign In With LinkedIn” feature on Nasdaq.com, and because of the seamless nature of the login, the email address will automatically fill in from LinkedIn. Nothing more is needed for the attacker to be successfully signed into the victim's legitimate Nasdaq.com account.
“This is really about taking over someone's trusted account,” said Diana Kelley, executive security advisor, IBM Security Systems, in a Thursday interview with SCMagazine.com. “It's essentially leveraging the trust of the account you've taken over.”
In this particular case, for instance, an attacker could post from a high level executive's Nasdaq.com account and affect stock prices to make a profit, Kelley said.
Separately, Kelley said, an attacker could use a legitimate SpiceWorks account to post malicious code, under the guise of a real professional. Unknowingly, further victims could insert the code into their applications, thus compromising them.
After disclosing the vulnerability, LinkedIn resolved the issue to include an email field to continue if the email isn't verified. Amazon added a section to its developer documentation that shows relying parties how to properly link local accounts in their systems. The company also plans to add a “verified email” scope for its “Log In With Amazon.” VASCO'S MYDIGIPASS.com resolved the issue by only supplying the email field to relying websites when a user's email address is verified and the user has actively chosen to share it.
The attack, Kelley said, demonstrated a necessity to think through misuse cases and use threat modeling.
“It's a great example of balancing ease of use with customer experience and ease of security,” she said. “An extra check or verification may really be in-line to make sure the right person is getting into the right account.”