Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Sunday December 07 2014, @09:13AM   Printer-friendly
from the trust-no-one dept.

IBM's X-Force security research team have demonstrated an attack that leverages social login to gain access to targeted user accounts.

In a nutshell: The attack can exploit a site that has both local and social login enabled and uses email addresses as a unique identifier. By setting up an account with a social provider that doesn't verify the email address, you can then leverage it into accessing a local account set up under the same email address.

The full writeup is available here, and I think soylentils will appreciate the site they tested it on. IBM has also made available a full whitepaper on the attack.

[Ed note: Corrected link to the "full writeup" and added whitepaper link.]

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:31AM

    by Anonymous Coward on Sunday December 07 2014, @09:31AM (#123434)

    The reason the The full writeup... link doesn't work is that you have to start the link with the protocol--otherwise, the base URL of the page containing the "link" are ass-u-me'd.

    Just because your browser respects a "link" without an http:// or a www out front, doesn't mean that's a good thing to presume everywhere.
    (Hover over the link and see what you are actually linking to.)

    -- gewg_

    • (Score: 2) by kaszz on Sunday December 07 2014, @10:11AM

      by kaszz (4211) on Sunday December 07 2014, @10:11AM (#123448) Journal

      Long time ago browser didn't give any pardon for forgetting protocol specification. .. .. :P

      • (Score: 1) by monster on Tuesday December 09 2014, @05:16PM

        by monster (1260) on Tuesday December 09 2014, @05:16PM (#124272) Journal

        Long time ago browsers didn't actively hide the protocol part in the address bar, either.

        • (Score: 2) by kaszz on Wednesday December 24 2014, @02:53AM

          by kaszz (4211) on Wednesday December 24 2014, @02:53AM (#128817) Journal

          Todays internet "experience" is convenient but can't tell you what's wrong any longer either. Well unless one bring out the heavy toolkit. I think it's a loss.

    • (Score: 2) by martyb on Sunday December 07 2014, @12:25PM

      by martyb (76) Subscriber Badge on Sunday December 07 2014, @12:25PM (#123453) Journal

      The submission was incorrect and, though we noted there was a problem, had failed to correct it prior to posting. It has now been corrected; thanks for pointing it out!

      As for your assertion "link doesn't work is that you have to start the link with the protocol", you're kind of correct. =) The term is "scheme" and, in an HTML document, when resolving a link which lacks a scheme specification, that link *inherits* the scheme of the *containing* document. This is intended behavior.

      Consider two users, Tom and Jerry. Tom loads "http://soylentnews.org" and clicks on the Authors link. Jerry, who is extremely security-minded, loads "https://soylentnews.org/" and then clicks on the same link. How do you code the Authors link so that Tom is not forced onto an secure connection, nor is Jerry forced to lose his? In short, how can one code a web site so that each user can see it using the level of security they prefer? By omitting an explicit specification of http[s] in the HTML, the link inherits whatever scheme the user visited the page with:

      <a href="//soylentnews.org/authors.pl">SoylentNews Authors</a>

      This link works for both Tom and Jerry, and preserves their choice of secure or insecure connection with the same HTML document.

      --
      Wit is intellect, dancing.
      • (Score: 2) by pe1rxq on Sunday December 07 2014, @02:58PM

        by pe1rxq (844) on Sunday December 07 2014, @02:58PM (#123475) Homepage

        This would only work if all possible schemes which lead to soylentnews would also work with the link.
        That is a pretty dangerous assumption.
        You would have to check if the linked site supports them all before posint an article. I am going to assume (yeah, I known...) that just putting a scheme in the article would be the better solution.

        • (Score: 2) by martyb on Monday December 08 2014, @01:57PM

          by martyb (76) Subscriber Badge on Monday December 08 2014, @01:57PM (#123719) Journal

          This would only work if all possible schemes which lead to soylentnews would also work with the link.
          That is a pretty dangerous assumption.
          You would have to check if the linked site supports them all before posint an article. I am going to assume (yeah, I known...) that just putting a scheme in the article would be the better solution.

          I understand your concern. Do note, however, the explicit statement of "in an HTML document" in the GP comment. The starting URI used to access a resource on soylentnews.org would specify a scheme to access that resource. So, each of: "http://soylentnews.org/" and "https://soylentnews.org/", explicitly state what the default scheme would be for any protocol-relative URL contained within the returned document.

          See, for example, RFC 3986 [ietf.org] — "Uniform Resource Identifier (URI): Generic Syntax", specifically with respect to "Reference Resolution" and "Normalization and Comparison".

          See, also: Protocol-relative URLs [wikipedia.org], The Protocol-relative URL [paulirish.com], and Protocol-relative URLs enabled on all Wikimedia Foundation wikis [wikimedia.org].

          --
          Wit is intellect, dancing.
      • (Score: 2) by maxwell demon on Sunday December 07 2014, @07:45PM

        by maxwell demon (1608) on Sunday December 07 2014, @07:45PM (#123527) Journal

        If Jerry is extremely security minded, he should have installed the HTTPS everywhere extension, so he goes to the HTTPS page whenever possible, even if the link was to the HTTP version.

        --
        The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:44AM

    by Anonymous Coward on Sunday December 07 2014, @09:44AM (#123438)

    Here is the correct link [securityintelligence.com]. Good to see the editors can identify a bad link, and even comment on it (implying this link was being "tested" on SN?), but can't even add the missing http:// to fix the link.

    Why on earth was this story even posted with the main link knowingly not working? SN, you get what you pay for (unless you're a subscriber).

    • (Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:51AM

      by Anonymous Coward on Sunday December 07 2014, @09:51AM (#123442)

      SN, you get what you pay for (unless you're a subscriber).

      Huh... Wha... someone said something about... subscribers?

  • (Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:48AM

    by Anonymous Coward on Sunday December 07 2014, @09:48AM (#123439)

    "It's OK, guy, Dave said to let me in."
    "I don't know any Dave."
    "Might have been Steve, Bob, Scott, Mike. What's the name of your security dude?"
    "Susan."
    "That's right, guy, Susan said to let me in!"
    "Oh well if Susan authorized you, come on in then."

    • (Score: 0) by Anonymous Coward on Sunday December 07 2014, @09:52AM

      by Anonymous Coward on Sunday December 07 2014, @09:52AM (#123443)

      Dave's not here, man.

      • (Score: 1, Insightful) by Anonymous Coward on Sunday December 07 2014, @09:57AM

        by Anonymous Coward on Sunday December 07 2014, @09:57AM (#123445)

        Dave may or may not be here, man. We don't verify his presence.

    • (Score: 4, Informative) by maxwell demon on Sunday December 07 2014, @12:44PM

      by maxwell demon (1608) on Sunday December 07 2014, @12:44PM (#123458) Journal

      Actually it's more like this:

      Rob: "Please let me in, I'm Dave."
      Doorman: "Please prove that you are Dave."
      Dave; "Well, just ask Susan."

      Doorman to Susan: "Susan, here's someone who claims to be Dave and said you know him."
      Susan: "Oh yes, yesterday he approached me at the sidewalk and introduced himself as Dave."
      Doorman: "Well, that settles that, I guess."

      Doorman to Rob: "OK, Dave, you may pass."

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by maxwell demon on Sunday December 07 2014, @12:47PM

        by maxwell demon (1608) on Sunday December 07 2014, @12:47PM (#123460) Journal

        Err … the third line of the dialogue should of course have started with "Rob:"

        --
        The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 0) by Anonymous Coward on Monday December 08 2014, @02:20AM

        by Anonymous Coward on Monday December 08 2014, @02:20AM (#123627)

        I don't get it. Can be have a car analogy?

  • (Score: 2) by kaszz on Sunday December 07 2014, @10:35AM

    by kaszz (4211) on Sunday December 07 2014, @10:35AM (#123449) Journal

    This sounds just like some security designer that "oops didn't think of that". And thus the cause is more systematic be it stupid management, incompetence, stressed environment etc.

    • (Score: 2) by FatPhil on Sunday December 07 2014, @05:55PM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Sunday December 07 2014, @05:55PM (#123507) Homepage
      Looks like the flaw is with LinkedIn, or the authentication-service providers. And because of that, every site that wants to be supposedly user-friendly gets (their users) raped. The website is almost as much a victim as the victim (it has been persuaded to let someone in that it probably wanted to keep out). Is it their fault for trusting a third party to do authentication? Perhaps. But if that party has one job - namely that of authentication - then surely it's reasonable to trust them to do that one job?

      And of course, comodo had one job, and turktrust had one job, and ...

      It seems that trusting third parties ain't such a smart move when it comes to security.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 2) by kaszz on Monday December 08 2014, @01:47AM

        by kaszz (4211) on Monday December 08 2014, @01:47AM (#123615) Journal

        "It seems that trusting third parties ain't such a smart move when it comes to security." - correct.

        Security is when YOU have complete control and can verify it yourself. Outsourcing it to a site which then outsource that to a another party etc. Is going to fail by the law of Murphy. Besides the profit motive is not a good incentive security wise.

  • (Score: 0) by Anonymous Coward on Sunday December 07 2014, @12:09PM

    by Anonymous Coward on Sunday December 07 2014, @12:09PM (#123451)

    Seems more like propaganda aimed at making a case against unverified email addresses.
    More and more the powers that be want us to verify our identity.
    This is how it starts.

    • (Score: 1) by Synonymous Homonym on Monday December 08 2014, @12:50PM

      by Synonymous Homonym (4857) on Monday December 08 2014, @12:50PM (#123703) Homepage

      Depends on what you mean by "verify our identity".

      The only identity that needs to be verified is the identity of whoever is supplying the address with whoever is using the address.
      There is no need to know what individual or group that corresponds to in meatspace.

  • (Score: 2) by maxwell demon on Sunday December 07 2014, @12:38PM

    by maxwell demon (1608) on Sunday December 07 2014, @12:38PM (#123455) Journal

    This shows that my decision back on Slashdot to not have my email address shown publicly was the right one. The only people who have access both to my email address and my Slashdot user name are those who could impersonate me on Slashdot anyway: The staff of Slashdot that have access to the internal data base.

    Well, thinking about it, also the staff at Soylent News have it (because that's the only other place where I ever used the same user name — and of course I don't show my email address publicly here either).

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2, Funny) by Ethanol-fueled on Sunday December 07 2014, @11:35PM

      by Ethanol-fueled (2792) on Sunday December 07 2014, @11:35PM (#123587) Homepage

      The joke's on my attacker -- My Slashdot account was banned from posting. Nobody can impersonate me there, bahaha.

  • (Score: 1) by Arik on Sunday December 07 2014, @09:50PM

    by Arik (4543) on Sunday December 07 2014, @09:50PM (#123553) Journal

    I see these things all the time. I never asked anyone to put them there, and I never signed up for any social networks. Yet these 'networks' keep a 'shadow profile' of me anyhow. They actively promote this login scheme, then hand over my 'shadow profile' to the first person to show up claiming to be me, and use it not only to libel me on the network I dont use, but even to compromise my account on a website I actually did sign up for.

    There has to be a lawyer that smells blood here.

    --
    If laughter is the best medicine, who are the best doctors?