Number: IRCNE2014122400
Date: 2014/12/16
According to “techworld”, IBM's X Force security researchers found an easy way to gain access to Web accounts by taking an advantage of an oversight in how some social login services are configured.
Those services allow someone to login to a Web service using, for example, their LinkedIn credentials. It's a convenient way for users to create new accounts on websites by using existing information.
But in one instance, the researchers found they could gain control of accounts at Slashdot.org, Nasdaq.com, Crowdfunder.com and others by abusing LinkedIn's social login mechanism.
Other identity services were also found to be vulnerable to the "SpoofedMe" attack, wrote Or Peles and Roee Hay of IBM Security Systems.
LinkedIn, Amazon and Vasco, all identity providers, have all either fixed or taken measures to prevent such account takeovers, after notification from IBM, the researchers said. But the problem is one that both identity providers and third-party websites using those services should be aware of.
- 2