SpoofedMe - Social Login Impersonation Attack

[Or Peles <ORPELES () il ibm com>]

Hi,

We have discovered an impersonation attack on social login protocols (e.g. 
Oauth 1.0 / 2.0 used for authentication) based on a combination of an 
implementation vulnerability existing in some identity providers (e.g. 
LinkedIn, which has fixed the issue) and a known design problem in the 
relying (third-party) website side.

The identity provider vulnerability is allowing the use of un-verified 
email in the social login authentication process, making it possible for 
an adversary to fake ownership of an email address and log into a victim's 
account.

By exploiting the vulnerability we successfully impersonated a Slashdot 
(test) account using the (now patched) LinkedIn provider.

More details are available at:

1. Blog post: 
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers
2. Whitepaper: 
http://www.slideshare.net/ibmsecurity/spoofed-me-socialloginattack

Or Peles & Roee Hay, IBM X-Force Application Security Research Team

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/