IBM security officials have detected a malicious attacker who intrudes into user accounts of those who log in to third-party websites via a social login.
We've all seen it -- "log in via Facebook, Twitter, LinkedIn, etc."
Makes things easier.
But that, according to IBM, is the point where a recent attacker penetrates a relying website -- a website that relies on authentication assertions passed to it by the identity provider -- and abuses the social login mechanism.
IBM's security group -- called the IBM X-Force Application Security Research Team -- identified the vulnerability last week in LinkedIn, Amazon and MYDIGIPASS.COM login tools offered on vulnerable websites such as Slashdot, Spiceworks and NASDAQ, according to Diana Kelley, executive security advisor for IBM Security.
"We do not know how many websites are vulnerable to this attack," Kelley told CMSWire, "but given the size of the internet, it's hard for us to determine which are."