IBM's X-Force security research team have demonstrated an attack that leverages social login to gain access to targeted user accounts.
In a nutshell: The attack can exploit a site that has both local and social login enabled and uses email addresses as a unique identifier. By setting up an account with a social provider that doesn't verify the email address, you can then leverage it into accessing a local account set up under the same email address.
The full writeup is available here, and I think soylentils will appreciate the site they tested it on. IBM has also made available a full whitepaper on the attack.
[Ed note: Corrected link to the "full writeup" and added whitepaper link.]
(Score: 2) by kaszz on Monday December 08 2014, @01:47AM
"It seems that trusting third parties ain't such a smart move when it comes to security." - correct.
Security is when YOU have complete control and can verify it yourself. Outsourcing it to a site which then outsource that to a another party etc. Is going to fail by the law of Murphy. Besides the profit motive is not a good incentive security wise.