A serious security flaw has been discovered in the Spiceworks network administration application. The issue, uncovered by Spicehead Darren K Smith, allows anyone with a Facebook or LinkedIn account to log in as an administrator.
Spiceworks has responded by temporarily disabling social sign-in until the flaw can be addressed.
The flaw was discovered in a clean install of version 7.4.00065 of the Spiceworks application. This version of the application enables social sign-in by default.
Social sign-in is the ability to log into websites and other applications using social media accounts, and in the case of Spiceworks both Facebook and LinkedIn are supported.
The goal is to make the Spiceworks application – and more critically, the Spiceworks community forums – more accessible to individuals not wanting to create a Spiceworks account.
Spiceworks' initial reaction to the flaw was less than stellar, although it has since been edited. The issue was downplayed as Spiceworks believed it would not affect many users.
Spiceheads were pretty quick to point out that this was an inappropriate response – the severity of the flaw is in WTF class, even if it only affects a small number of installs – and Spiceworks changed its tune pretty quickly.
Social sign-in has been a feature of the Spiceworks community forums for some time, but has only recently seen inclusion in the administration application itself.
The administration application does not update itself automatically by default, so older installs (from before social sign-in was switched on) should be safe from this particular issue, though like any application flaws are discovered in Spiceworks regularly, so running too old a version could leave you vulnerable to other attacks.
If you attempt to upgrade your existing Spiceworks install you may encounter a separate bug that could leave you unsure of your application status.
When upgrades are triggered on older installs, as I have just done with one of mine, a screen will appear saying "Version 7.3.00111 of Spiceworks is being downloaded". It will, in fact, update you to the latest version: 7.4.0065.
I have confirmed that both new installs of 7.4.0065 and installs which upgrade to it are currently behaving as though social sign-in has been disabled. It is unknown if Spiceworks will re-enable social sign-in as a default once it has fixed the security flaw and issued a new release.
For those users who have been keeping their Spiceworks up to date and fear that someone may have used a social networking account to create an administrative log in on their Spiceworks install, go to Settings > User Accounts in Spiceworks and check the list of admin users to make sure all is as it should be. ®