Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

IBM Demonstrates Social Login Attack

posted by LaminatorX on Sunday December 07 2014, @09:13AM   Printer-friendly
from the trust-no-one dept.

Popeidol writes:

IBM's X-Force security research team have demonstrated an attack that leverages social login to gain access to targeted user accounts.

In a nutshell: The attack can exploit a site that has both local and social login enabled and uses email addresses as a unique identifier. By setting up an account with a social provider that doesn't verify the email address, you can then leverage it into accessing a local account set up under the same email address.

The full writeup is available here, and I think soylentils will appreciate the site they tested it on. IBM has also made available a full whitepaper on the attack.

[Ed note: Corrected link to the "full writeup" and added whitepaper link.]

 
This discussion has been archived. No new comments can be posted.
IBM Demonstrates Social Login Attack | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Monday December 08 2014, @01:47AM

    by kaszz (4211) on Monday December 08 2014, @01:47AM (#123615) Journal

    "It seems that trusting third parties ain't such a smart move when it comes to security." - correct.

    Security is when YOU have complete control and can verify it yourself. Outsourcing it to a site which then outsource that to a another party etc. Is going to fail by the law of Murphy. Besides the profit motive is not a good incentive security wise.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2