You have come across the login to a website suggesting using a social identity to do so, logging in using Facebook, LinkedIn, Amazon or other identity provider.
What if the person logging in with your social identity was not you?
A new vulnerability has been uncovered and announced by an IBM security team.
It enables the attacker to access several important websites, including Nasdaq.com or Slashdot.com by assuming the victim identity.
The hack is incredibly simple: the attacker starts by signing up for a social login account with an identity provider like Facebook or Twitter using the victim’s email account, assuming of course that the victim does not already have an account with that identity provider.
You would be right to think, but the victim will receive the verification email, so where is the problem?
The catch is that email verification is not needed for the next step: the attacker goes to a target website that supports social account log in, logs in using the just created but not verified account and assuming the victim already has an account on the target website associated with the same email address, the attacker will be authenticated and logged in.
The attacker could then wreak havoc, obtain sensitive information, etc.
It must be said that most of the identity providers have fixed the issue, but you can report any strange activity on your account to the identity provider.
The attack has been called ‘SpoofedMe!’.
Credits to Or Peres and Roee Hay of IBM Security Systems