IBM security officials have detected a malicious attacker who intrudes into user accounts of those who log in to third-party websites via a social login.
We've all seen it -- "log in via Facebook, Twitter, LinkedIn, etc."
Makes things easier.
But that, according to IBM, is the point where a recent attacker penetrates a relying website -- a website that relies on authentication assertions passed to it by the identity provider -- and abuses the social login mechanism.
IBM's security group -- called the IBM X-Force Application Security Research Team -- identified the vulnerability last week in LinkedIn, Amazon and MYDIGIPASS.COM login tools offered on vulnerable websites such as Slashdot, Spiceworks and NASDAQ, according to Diana Kelley, executive security advisor for IBM Security.
"We do not know how many websites are vulnerable to this attack," Kelley told CMSWire, "but given the size of the internet, it's hard for us to determine which are."
What To Do?
Websites that offer social login capabilities must be particularly diligent, Kelley said. She referred to IBM's blog on the matter.
"It’s important for any website offering social login capabilities to use this research as a reminder to check their login processes to ensure they aren’t vulnerable, and if they are, implement proper mitigation such as email verification," Kelley told CMSWire.
Anatomy of an Attack
The vulnerability IBM discovered allows attackers to impersonate a trusted user on the web and conduct malicious actions such as sharing false inside information to impact stock prices, sharing malcode on a developer website, or even, Kelley said, to pose as a celebrity or political figure to spread false news.
"We have alerted the social login identity providers -- Login with Amazon, LinkedIn and MYDIGIPASS -- and websites -- i.e., Slashdot and NASDAQ -- that our researchers found the vulnerability," Kelley said. "But we urge all websites using social logins to review their processes to ensure that they are not vulnerable to spoofing-type attacks."
IBM officials reported in their blog that LinkedIn responded quickly and fixed this vulnerability after the attack was disclosed.
IBM's X-Force has dubbed this attack “SpoofedMe." IBM X-Force’s Application Security Research team assigned the name for this vulnerability based on it allowing an attack to “Spoof” or impersonate a user.
So what can users of social login features do, if anything?
"It would likely be difficult for a user to know they have been compromised with this attack method," Kelley said. "However, if you do use one of the impacted sites, check your account to make sure no information has been posted or altered without your knowledge. If you identify any unusual activity on your account, contact the website owner."
IBM officials in their blog post recommended developers of both websites that use social login and future identity providers to follow the mitigation section in the white paper listed in the blog.
"While fixing the identity provider vulnerability would be enough for this attack to be blocked," they reported, "it is important for websites that are vulnerable to fix the website design problem because it may expose their users to similar attacks."