Bigshot online identity providers LinkedIn and Amazon were vulnerable to a novel attack that allowed ID fraudsters potential access to top websites – including Slashdot, NASDAQ.com and Crowdfunder – an IBM security duo have revealed.
Or Peles and Roee Hay of IBM Security Systems said the attacks worked because the providers included MyDigiPass, "Sign in with LinkedIn" or "Login with Amazon" functions on their sites. Those named websites allowed accounts that had not had email addresses confirmed to be used for a verified login.
An attacker moving in prior to the sites fixing the flaws, or on other possibly still vulnerable sites, could register a victim's email address with an identity provider and a chosen website, then click the social network sign-in button to gain access, all without ever clicking an email verification link.
The named sites were tipped off by Big Blue and subsequently patched because they had publicly welcomed bug reporting by the security community, a feat that all organisations should consider seriously.
"The vulnerability we identified is that some identity providers agree to supply the account's email addresses as part of the social login authentication process even when the user's ownership of this email address has not been positively verified," Peles and Hay wrote in the paper SpoofedMe Intruding Accounts using Social Login Providers: A Social Login Impersonation Attack (registration or irony-free social sign-in required).
"This attack is based on a basic implementation vulnerability found in certain identity providers, together with a design problem in third-party websites that was previously known," said the duo.
"When logging in with a different identity provider for the first time, by providing an email address that is identical to that of an existing local user, an implementation problem could automatically (or by prompting the user) link the new account with the existing local account without asking for any additional credentials, because of the third-party website's trust in the end-user's email address ownership."
The attack worked on any new and proprietary social login protocols that were vulnerable regardless of signature mechanisms or flow, the pair said, provided the email address was sent to websites.
Websites and identity providers should both fix the verification flaws to prevent attackers logging in using either the researchers' exploit or by hacking identity providers to gain access to sites.
"LinkedIn’s security team followed our suggestion and fixed the issue by not allowing social login requests that include the email field to continue, in case the email is not verified," the duo wrote, noting also that Amazon's security team added a section to their developer documentation about fixing the vuln. VASCO (owners of MyDigiPass) "fixed the issue by only supplying the email field to its relying websites when the user’s email address is verified, and if the user actively chose to share it."
A similar fix would be to append the email verified boolean field to email addresses, allowing sites to reject those lacking proven ownership.
Facebook and Google both refused to offer unverified email addresses when tested, the two seemingly having applied lessons learned by Microsoft and Indiana University researchers in 2012
The OpenID initiative had it right, they said, as "the only claims that should uniquely identify the user are the subject (the user's user-ID in the identity provider) and issuer (the identity provider itself) used together". ®