Cyber-criminals can exploit social logins, such as the â€œSign In With Facebook/LinkedIn/etcâ€ buttons, to hijack accounts and impersonate users through a technique dubbed SpoofedMe, according to IBM research. To run the attack, hackers register a spoofed account at a vulnerable identity provider using the victimâ€™s email address. Cyber-criminals can then post misleading information and even malware on victimsâ€™ behalf.
The IBM study revealed that hackers can easily abuse the mechanism that allows users to quickly gain access to various web accounts with the social login. After IBMâ€™s warning earlier this year, LinkedIn and Amazon moved to update their systems.
LinkedInâ€™s security team fixed the issue by denying social login requests that include the email field, in case the email isnâ€™t verified. Vulnerable third-party websites that also rely on LinkedIn include Nasdaq.com, Slashdot.org, Crowdfunder.com and Spiceworks.com. Several shopping websites use Amazon as a login.
â€œIf you have a piece of malware code and you take over someoneâ€™s trusted account and say â€˜hereâ€™s this code,â€™ because youâ€™re leveraging trust already established in the community, others on the website are more likely to use it,â€ IBM Executive Security Advisor Diana Kelley said. â€œThat would be a big â€˜gotchaâ€™.â€
To be successful, the SpoofedMe attack requires a combination of flaws, according to IBM X-Force security team:
- a vulnerability with a social login identity provider such as LinkedIn, Amazon and MYDIGIPASS.
- a known design issue in the websites that rely on the identity providers for verification.
- an email address that hasnâ€™t already been used in an account at the vulnerable identity provider.
Before announcing the hacking technique, IBM reviewed the popular identity providers, privately disclosed details to the vulnerable ones, and waited for them to apply fixes. The SpoofedMe technique can still be exploited in the wild, as there are identity providers and websites vulnerable to both the social login, and the design problem.