[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] SpoofedMe - Social Login Impersonation Attack

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] SpoofedMe - Social Login Impersonation Attack
From: Or Peles <ORPELES@xxxxxxxxxx>
Date: Thu, 4 Dec 2014 17:20:09 +0200

Hi,

We have discovered an impersonation attack on social login protocols (e.g. 
Oauth 1.0 / 2.0 used for authentication) based on a combination of an 
implementation vulnerability existing in some identity providers (e.g. 
LinkedIn, which has fixed the issue) and a known design problem in the 
relying (third-party) website side.

The identity provider vulnerability is allowing the use of un-verified 
email in the social login authentication process, making it possible for 
an adversary to fake ownership of an email address and log into a victim's 
account.

By exploiting the vulnerability we successfully impersonated a Slashdot 
(test) account using the (now patched) LinkedIn provider.

More details are available at:

1. Blog post: 
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers
2. Whitepaper: 
http://www.slideshare.net/ibmsecurity/spoofed-me-socialloginattack

Or Peles & Roee Hay, IBM X-Force Application Security Research Team

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Offset2lib: bypassing full ASLR on 64bit Linux
Next by Date: [FD] NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
Previous by thread: Re: [FD] [oss-security] Offset2lib: bypassing full ASLR on 64bit Linux
Next by thread: [FD] NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
Index(es):
- Date
- Thread