lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OF88FA2B8C.E326B5B4-ONC2257DA4.00536C1B-C2257DA4.00543E93@il.ibm.com>
Date: Thu, 4 Dec 2014 17:20:09 +0200
From: Or Peles <ORPELES@...ibm.com>
To: fulldisclosure@...lists.org
Subject: [FD] SpoofedMe - Social Login Impersonation Attack

Hi,

We have discovered an impersonation attack on social login protocols (e.g. 
Oauth 1.0 / 2.0 used for authentication) based on a combination of an 
implementation vulnerability existing in some identity providers (e.g. 
LinkedIn, which has fixed the issue) and a known design problem in the 
relying (third-party) website side.

The identity provider vulnerability is allowing the use of un-verified 
email in the social login authentication process, making it possible for 
an adversary to fake ownership of an email address and log into a victim's 
account.

By exploiting the vulnerability we successfully impersonated a Slashdot 
(test) account using the (now patched) LinkedIn provider.

More details are available at:

1. Blog post: 
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers
2. Whitepaper: 
http://www.slideshare.net/ibmsecurity/spoofed-me-socialloginattack

Or Peles & Roee Hay, IBM X-Force Application Security Research Team

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists