IBM Reveals ‘SpoofedMe’ Attack Leveraging Social Login Vulnerability
IBM researchers uncovered an attack that could allow a hacker to impersonate someone by abusing the social login mechanism.
Social login is a form of single sign-on that uses existing login information from a social network, such as Facebook or Google+, to sign into a third-party website. According to IBM’s X-Force Application Security Research Team, the attack — which they have dubbed “SpoofedMe” — works this way: A cyber criminal registers a spoofed account within a vulnerable identity provider using the victim’s email address. Then, without having to actually confirm ownership of the email address, the attacker will log into the relying website with the fake account, via social login. The relying website will check the user details asserted by the identity provider and log the attacker into the victim’s account, based on the victim’s email address value, Or Peles, a security researcher with X-Force, explains in a blog post.
More: IBM Reveals ‘SpoofedMe’ Attack Leveraging Social Login Vulnerability