SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms”

Thinkpad 701c: Reverse Engineering a Retro Processor Upgrade

[Noq2] has given his butterfly new wings with a CPU upgrade. Few laptops are as iconic as the IBM Thinkpad 701 series and its “butterfly” TrackWrite keyboard. So iconic in fact, that a 701c is part of the permanent collection of the Museum of Modern Art in New York.

Being a 1995 vintage laptop, [Noq2’s] 701c understandably was no speed demon by today’s standards. The fastest factory configuration was an Intel 486-DX4 running at 75 MHz. However, there have long been rumors and online auctions referring to a custom model modified to run an AMD AM-5×86 at 133 MHz. The mods were performed by shops like Hantz + Partner in Germany. With this in mind, [Noq2] set about reverse engineering the modification, and equipping his 701c with a new processor.

thinkpad-brainsurgeryThe first step was determining which AMD processor variant to use. It turns out that only a few models of AMD’s chips were pin compatible with the 208 pin Small Quad Flat Pack (SQFP) footprint on the 701c’s motherboard. [Noq2] was able to get one from an old Evergreen 486 upgrade module on everyone’s favorite auction site. He carefully de-soldered the AM-5×86 from the module, and the Intel DX4 from the 701c. A bit of soldering later, and the brain transplant was complete.

Some detailed datasheet research helped [noq2] find the how to increase the bus clock on his 5×86 chip, and enable the write-back cache. All he had to do was move a couple of passive components and short a couple pins on the processor.

The final result is a tricked out IBM 701c Thinkpad running an AMD 5×86 at 133 MHz. Still way too slow for today’s software – but absolutely the coolest retro mod we’ve seen in a long time.

Capacitive Sensing And Old IBM Keyboards

bar

The pen is mightier than the sword, but the IBM Model M keyboard, properly applied, can knock teeth in. There are a few more IBM keyboards even better suited to blunt force trauma – the extremely vintage beam spring keyboards made for terminals and desktop publishers. Being so very old, there’s no easy way to connect these keyboards to a modern system, so when [xwhatsit] wanted to make his work, he needed to build his own controller.

The beam spring keyboards use capacitive switches, and with 122 keys, the usual method of reading capacitance – putting a capacitor in an oscillator – would be far too slow to be of any use in a keyboard. There is another method of reading capacitance: measuring the current going through the capacitive switch. This can easily be accomplished with an LM339 comparator.

[xwhatsit]’s keyboard controller uses this capacitive sensing circuit to read the four rows of keys, with a few shift registers taking care of the columns. An ATMega32u2 is the brains of the outfit, running LUFA to translate the key presses to USB.

If you’re lucky enough to have one of these ancient keyboards, [xwhatsit] is selling a few over on the usual mechanical keyboard forums. There’s also a controller for the Model F keyboard using the same basic circuit. If you need one just drop him a line or grab the gerbers and roll your own.

 

 

Retrotechtacular: Once Upon A Punched Card

card

Ah, the heady days of the early 60s, where companies gave their salesmen exquisitely produced documentaries, filled with incidental music written by the best composers of the era, and a voice actor that is so unabashedly ordinary you would swear you’ve heard him a hundred times before. It’s a lot better than any PowerPoint presentation anyone could come up, and lucky for us, these 16mm films are preserved on YouTube for everyone to enjoy. This one was sent out to IBM sales reps pushing a strange technology called a ‘punched card’, a system so efficient it will save your company tens of thousands of dollars in just a few short years.

Like most explanations of what a punched card does, this IBM documercial begins with the history of the Jacquard loom that used punched cards for storing patterns for textile weaving. In a rare bit of historical context befitting IBM, this film also covers the 1880 US census, an important part in the evolution of punched cards being used not as instructions for a loom, but data that could be tabulated and calculated.

The United States takes a census every ten years. The tenth census of 1880 took so long to compile into the data – seven years – it was feared the next census of 1890 wouldn’t be complete until the turn of the century. This problem was solved by [Herman Hollerith] and his system of encoding census data onto punched cards for tabulation. [Hollerith] would later go on to found the Tabulating Machine Company that would later merge with two other companies to form IBM. Isn’t it great that IBM chose to include that little nugget in their film.

As a point of interest, the film does contain a short pitch for IBM punched card writers, sorters, and calculators – the backbone of IBM’s medium to large size business sales. At the time this film was produced (1964) IBM was ready to announce the System/360, what would become the de facto mainframe for businesses of all sizes.  Yes, the /360 also used punched cards, but we wonder how many angry phone calls the sales reps received months after showing this film.

Laser Etching Brings New Life To An IBM Keyboard

IMG_20140314_011136

[Evan] was perusing his local thrift store when he found a beautiful IBM Model M 122-key keyboard made in 1987.

“This is my keyboard, there are many like it, but this one is mine.”

~The Typist’s Creed

In [Evan’s] case, this might actually be the only one like it still in use today. An idea formed in his head. What if he took this ancient keyboard, gave it a USB driver, and customized the keys on a hardware level to do exactly what he wanted.

The first step was converting it to USB. He’s using a Teensy 2.0 mostly because it is super inexpensive, and its able to act as a USB HID device. In addition to wiring up the keyboard to the Teensy he’s also added foot pedals that connect via 1/8″ stereo plugs — these kind of act like extra mouse buttons, allowing him to scroll through galleries left to right, add page breaks, and other macros to increase efficiency.

Continue reading “Laser Etching Brings New Life To An IBM Keyboard”

Building a More Nyan Planet

Video

In an effort to give salespeople something impressive to hand out, IBM recently had a bunch of very cool promotional materials printed up. It’s basically a greeting card-sized cardboard folder with a bit of text, an LCD screen, buttons, battery and display controller. This video in print device is meant to display how IBM is building a smarter planet, but [Cookie] and [Stitch] over at the Hack42 hackerspace in The Netherlands decided Nyan Cat would be a much better use of this free, portable video player. (Google translationUPDATE: Site has gone down. Here’s the Google Cache but you’ll need a browser like Chrome that can do the translation for you (we can’t figure out how to link a translation of cache).

This video card uses tech licensed from Americhip, a company that has been putting video in magazines for a few years now. By connecting the USB charging port up to his computer, the guys were able to switch the device over to USB mode where the actual video files could be read and rewritten.

By encoding a few videos to match the format of what was on the card – including some old IBM promotional material by [Jim Henson] – the team were able to get videos playing on a hackable flyer. Very cool, and if you can get your hands on some sales brochures, a free source of tiny displays.

Converting an IBM PCjr joystick to USB

pcjr-joystick-usb-conversion

Seeing this IBM joystick again really brings back memories. But it can be used on a modern system thanks to this USB conversion project.

This particular model had a connector which is foreign to us. It looks like a boxy USB-A plug, but has an eight-pin sockets which looks like it’s 0.1″ pitch. You could try to make your own male connector using a dual-row pin header, but [Gruso] just went ahead and lopped off the end of the cable. He managed to dig up the pin-out for the device and found that it could be wired up to a gameport — the connector being the only real difference. He gutted a USB gameport adapter, removing the DB15 connector and soldering directly to the board. The boxy old peripheral has just enough room to house that PCB.

If you’re looking for a few more details than this build album provides check out [Gruso’s] comments in the Reddit thread.