2 min read

Hackers Can Attack Social Logins to Impersonate Users, IBM Study Shows

Bianca STANESCU

December 05, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hackers Can Attack Social Logins to Impersonate Users, IBM Study Shows

Cyber-criminals can exploit social logins, such as the “Sign In With Facebook/LinkedIn/etc” buttons, to hijack accounts and impersonate users through a technique dubbed SpoofedMe, according to IBM research. To run the attack, hackers register a spoofed account at a vulnerable identity provider using the victim`s email address. Cyber-criminals can then post misleading information and even malware on victims` behalf.

The IBM study revealed that hackers can easily abuse the mechanism that allows users to quickly gain access to various web accounts with the social login. After IBM`s warning earlier this year, LinkedIn and Amazon moved to update their systems.

LinkedIn`s security team fixed the issue by denying social login requests that include the email field, in case the email isn`t verified. Vulnerable third-party websites that also rely on LinkedIn include Nasdaq.com, Slashdot.org, Crowdfunder.com and Spiceworks.com. Several shopping websites use Amazon as a login.

“If you have a piece of malware code and you take over someone`s trusted account and say Ëœhere`s this code,` because you`re leveraging trust already established in the community, others on the website are more likely to use it,” IBM Executive Security Advisor Diana Kelley said. “That would be a big Ëœgotcha`.”

Source: www.securityintelligence.com

To be successful, the SpoofedMe attack requires a combination of flaws, according to IBM X-Force security team:

  • a vulnerability with a social login identity provider such as LinkedIn, Amazon and MYDIGIPASS.
  • a known design issue in the websites that rely on the identity providers for verification.
  • an email address that hasn`t already been used in an account at the vulnerable identity provider.

Before announcing the hacking technique, IBM reviewed the popular identity providers, privately disclosed details to the vulnerable ones, and waited for them to apply fixes. The SpoofedMe technique can still be exploited in the wild, as there are identity providers and websites vulnerable to both the social login, and the design problem.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find Some Phone Manufacturers Didn't Implement Vital Security Patch for ARM Mali GPU, Google Researchers Find
Silviu STAHIE

November 29, 2022

1 min read
Apple Users Report Seeing Other People's Photos When Using iCloud for Windows Apple Users Report Seeing Other People's Photos When Using iCloud for Windows
Silviu STAHIE

November 25, 2022

1 min read
How SIM Swapping Attacks Work and How to Protect Yourself How SIM Swapping Attacks Work and How to Protect Yourself
Filip TRUȚĂ

November 25, 2022

3 min read