Social logins like the kind used by Amazon and LinkedIn can provide an easy entry point for hackers to gain access to your accounts on various websites, according to new research from IBM’s security team.
Websites often ask users for third-party social logins to post comments, with Facebook and Twitter among the most common logins users use. IBM, however, found that certain social logins can be commandeered by a hacker to post misleading information or malicious software on some sites that use them.
The hack, dubbed SpoofedMe, works like this: A hacker registers a new account on a login platform with a victim’s email address. The hacker then uses that account to sign in to a third-party website (like Nasdaq.com or SlashDot.org), posing as the victim.
IBM’s team found that Amazon and LinkedIn’s social logins were vulnerable to SpoofedMe before they warned those companies earlier this year. LinkedIn has since discontinued social login requests that include the email field, IBM said, while Amazon has updated its developer documents and said it will add a verification component. Websites that use a LinkedIn login include Nasdaq.com, Slashdot.org, Crowdfunder.com and Spiceworks.com. Several shopping websites use Amazon as a login.
Because hackers can use SpoofedMe to pose as trustworthy, well-known users—a company executive, for instance, or a respected developer—it allows them to more easily spread false information or malware. Still, that’s a fairly limited level of mischief compared to more damaging attacks.
“If you have a piece of malware code and you take over someone’s trusted account and say ‘here’s this code,’ because you’re leveraging trust already established in the community,” others on the website are more likely to use it, said Diana Kelley, executive security advisor at IBM Security. “That would be a big ‘gotcha.’”