View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 8, 2014

Social logins abused to hack user accounts, says IBM

With only access to a victim's email address, hackers can break into reliant websites.

By Jimmy Nicholls

Websites that allow users to log in through their social media accounts are endangering the accounts of their users, according to a security division at IBM.

A bug found in "social login" providers such as LinkedIn, Amazon and MYDIGIPASS can be combined with a design issue on reliant websites to allow hackers to hijack user accounts.

Or Peles, security researcher at IBM X-Force, said: "A specific instance of this attack allowed an attacker to intrude into a Slashdot.org user account by using the ‘Sign In With LinkedIn’ service."

"Once logged in, the attacker has complete access to the victim’s account. For example, the attacker could access the victim’s private information and impersonate him or her by posting spam messages."

To enact the hack, named SpoofedMe by IBM, the cybercriminal must register a fake account on one of the social media platforms using a victim’s email address and then log into the reliant website using social login.

The website then matches the email address of the victim to the one used by the hacker on a social media platform, without asking for verification that the hacker is the legitimate user of the email address.

Peles said that all three identity providers named above had responded to the issue by including provisions for email verification, among other measures.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

"While fixing the identity provider vulnerability would be enough for this attack to be blocked it is important for websites that are vulnerable to fix the website design problem because it may expose their users to similar attacks," he added.

He also noted that the hack would not work if the email address of the victim was already in use at all the relevant identity providers.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU