lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <OF88FA2B8C.E326B5B4-ONC2257DA4.00536C1B-C2257DA4.00543E93@il.ibm.com> Date: Thu, 4 Dec 2014 17:20:09 +0200 From: Or Peles <ORPELES@...ibm.com> To: fulldisclosure@...lists.org Subject: [FD] SpoofedMe - Social Login Impersonation Attack Hi, We have discovered an impersonation attack on social login protocols (e.g. Oauth 1.0 / 2.0 used for authentication) based on a combination of an implementation vulnerability existing in some identity providers (e.g. LinkedIn, which has fixed the issue) and a known design problem in the relying (third-party) website side. The identity provider vulnerability is allowing the use of un-verified email in the social login authentication process, making it possible for an adversary to fake ownership of an email address and log into a victim's account. By exploiting the vulnerability we successfully impersonated a Slashdot (test) account using the (now patched) LinkedIn provider. More details are available at: 1. Blog post: http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers 2. Whitepaper: http://www.slideshare.net/ibmsecurity/spoofed-me-socialloginattack Or Peles & Roee Hay, IBM X-Force Application Security Research Team _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists