Full Disclosure mailing list archives
SpoofedMe - Social Login Impersonation Attack
From: Or Peles <ORPELES () il ibm com>
Date: Thu, 4 Dec 2014 17:20:09 +0200
Hi, We have discovered an impersonation attack on social login protocols (e.g. Oauth 1.0 / 2.0 used for authentication) based on a combination of an implementation vulnerability existing in some identity providers (e.g. LinkedIn, which has fixed the issue) and a known design problem in the relying (third-party) website side. The identity provider vulnerability is allowing the use of un-verified email in the social login authentication process, making it possible for an adversary to fake ownership of an email address and log into a victim's account. By exploiting the vulnerability we successfully impersonated a Slashdot (test) account using the (now patched) LinkedIn provider. More details are available at: 1. Blog post: http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers 2. Whitepaper: http://www.slideshare.net/ibmsecurity/spoofed-me-socialloginattack Or Peles & Roee Hay, IBM X-Force Application Security Research Team _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SpoofedMe - Social Login Impersonation Attack Or Peles (Dec 04)