Websites that allow users to log in through their social media accounts are endangering the accounts of their users, according to a security division at IBM.
A bug found in "social login" providers such as LinkedIn, Amazon and MYDIGIPASS can be combined with a design issue on reliant websites to allow hackers to hijack user accounts.
Or Peles, security researcher at IBM X-Force, said: "A specific instance of this attack allowed an attacker to intrude into a Slashdot.org user account by using the ‘Sign In With LinkedIn’ service."
"Once logged in, the attacker has complete access to the victim’s account. For example, the attacker could access the victim’s private information and impersonate him or her by posting spam messages."
To enact the hack, named SpoofedMe by IBM, the cybercriminal must register a fake account on one of the social media platforms using a victim’s email address and then log into the reliant website using social login.
The website then matches the email address of the victim to the one used by the hacker on a social media platform, without asking for verification that the hacker is the legitimate user of the email address.
Peles said that all three identity providers named above had responded to the issue by including provisions for email verification, among other measures.
"While fixing the identity provider vulnerability would be enough for this attack to be blocked it is important for websites that are vulnerable to fix the website design problem because it may expose their users to similar attacks," he added.
He also noted that the hack would not work if the email address of the victim was already in use at all the relevant identity providers.
