A recently discovered vulnerability in social login identity providers and the websites that use them could have compromised legitimate user accounts and left them vulnerable to attackers.
Researchers with IBM's Security Intelligence blog detailed the ‘SpoofedMe' attack in a recent post. Social login providers, including LinkedIn, Amazon, and MYDIGIPASS, were all found to be vulnerable to the attack, which leverages a security lapse in account email verifications.
A user employs a social login to access a third-party website through a social media account, rather than by creating a dedicated account for that website. In these cases, the social media, or identity, provider gives the third-party website permission to access a user's details, thus making the registration process seamless and faster.
To be vulnerable to the SpoofedMe attack, a site must use an email address as a unique identifier, the post said.
“This means that claiming (using an identity provider) to own an email address is enough to log a user in to the local account that uses the same email address,” the post explained.
Additionally, a vulnerable website must allow for account linking.
“When, for the first time, a user logs in with a different identity provider (than previously used with his or her existing local account) and uses an email address that is identical to that of his or her existing account, a website could assume he or she is the owner of the account and automatically link the new identity with the existing local account without asking for any additional credentials,” the post said.
Researchers found that Nasdaq.com, Slashdot.com, Crowdfunder.com and Spiceworks.com were all vulnerable because of their “Sign In With LinkedIn” feature.
Presuming that most users registered the same email address across most websites, all an attacker needs to successfully pull off this attack is the intended victim's email. Once attackers have this information, which is often commonly available, they can begin trying to impersonate the victim.
One possible scenario would be if an intended target has an account on Nasdaq.com, but hasn't created one on LinkedIn yet. In this case, an attacker could register for LinkedIn under the target's email address. Although LinkedIn will send a verification email to the victim, the attacker can work on securing access to the Nasdaq.com account in the meantime.