Security researchers from IBM’s X Force have found a glaring flaw in the way some social login features are configured that could allow attackers to gain easy access to people’s web accounts.

Social login is a way to sign in to websites without creating account. Instead, netizens can use login details from a social network such as Facebook or Twitter to enter a third-party website. But the social login features of Amazon, LinkedIn and MYDIGIPASS were all found to be vulnerable to an attack that takes advantage of a security lapse in the email verification process. As a result, it’s relatively simple to ‘hack’ accounts at websites like Crowdfunder, NASDAQ.com and Slashdot, which all offer social login options.

The flaw, which has been dubbed “SpoofedMe”, was discovered by Or Peles and Roee Hay of IBM’s X-Force Application Security Research Team. They said the attacks worked because the affected sites allowed accounts with unverified email addresses to be used for a verified login. That means attackers could register a victim’s email address with an identity provider and a chosen website, then click the social network sign-in button to gain access, all without ever clicking an email verification link.

Luckily, IBM has tipped off the vulnerable websites, which have since been patched.

“The vulnerability we identified is that some identity providers agree to supply the account’s email addresses as part of the social login authentication process even when the user’s ownership of this email address has not been positively verified,” Peles and Hay wrote in an accompanying blog post.

The researchers demonstrated how the attack works using LinkedIn’s social login feature in a video. First up, the attacker must create a LinkedIn account using his victim’s email address. LinkedIn automatically sends a verification email to the account to ensure the person signing up has control over that account, but the attacker doesn’t need to access this.

Instead, once the account is created, the attacker can go to Slashdot and use the LinkedIn social login feature to access that site. LinkedIn doesn’t transfer its user’s credentials to the third party site, but it does provide their email address, which Slashdot then matches with the existing account on its own site (if there is one). This allows the attacker to gain control of that account, which could then be used for posting malicious links, spam and other abuse.

The attack can be facilitated in a similar way using Amazon’s and MYDIGIPASS’s login services, but will only work if the victim hasn’t already signed up for an account with the chosen identity provider.

The vulnerability was actually even more dangerous with Amazon’s “Sign in with Amazon” feature.

“We found that in addition to allowing us to register an account with an email address we don’t own and pass it as part of the social login authentication process, it also allowed us to change the Amazon account email address to another unverified address, making it the new account’s primary email address,” Peles and Hay wrote.

Amazon’s security team has since provided more details on how local accounts should be linked, including verifying emails, they wrote.

photo credit: Don Hankins via photopin cc