SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms”

Hackaday Links: April 20, 2012

Introducing Hackaday: how it’s made edition

Ever wonder how the make the forms for marine propellers? Now you have. It turns out they use a bunch of plywood, Bondo, and sandpaper. Awesome viewing for a coffee break.

Finally a new way to hurt yourself!

[Darrell]’s solder flux pen was filled and capped at sea level. When this pen made it to his work bench high in the mountains of Colorado there was a significant amount of pressure in that pen. The flux squirted out right into [Darrell]’s eye. Better get some Visine on that, man.

The most accurate television portrayal of hacking ever

[Russell] was watching TV last night and saw an interesting commercial. It’s a bunch of electronic components, then a nook color showing the front page of Make: Projects, an Arduino schematic, and finally a happy robot. Two observations: firstly, someone in media and advertising doesn’t think ‘hacking’ is WarGames stealing bank accounts. Secondly, an ad exec looked into current users.

Here’s the official YouTube video of the commercial.

In a world… where components aren’t soldered… one man… uses a soldering station.

Adafruit linked to the most outrageous promo video ever. This Weller soldering station provides 240 watts, battles alongside Agamemnon at Troy,  has rework tweezers, and travels to Italy to wage war against the Latins.

An IDE for the 21st century

[Chris] is currently developing a new paradigm for programming. He calls it Light Table, and it’s designed to be an improvement over a simple text editor and project manager. All the documentation is at your fingertips, you can make changes on the fly. It reminds us of the zzstructure emulator we saw last year. It’s something to keep an eye on at least.

BBC covers an old-school hacker

Yesterday, the BBC posted an article on [Julian Skidmore]’s AVR-based homebrew computer.

[Julian]’s project uses an AVR and a derivative of Forth to recreate the capabilities of the 8-bit computers of yesteryear. With 8kB of RAM, [Julian] got a TV-out up and running, and even included code for a Lunar Lander game.

We’re happy for [Julian] getting some notoriety as an old-school solder monkey, but we’re wondering why the BBC is covering a project not unlike the something that could be seen on hackaday once a week. Could it be the first inkling of respect for the hacker and DIY community in the general public’s eye?

In any event, we love the initiative shown in [Julian]’s quote at the bottom of the BBC article: “Building the machine is a way to learn the essentials of what a computer is all about.” If you want to understand something, you’ve got to build it yourself. Truer words…

Nanotouch: a tiny AVR media thing

[Rossum] is at it again. This time, he has created a super tiny media device to get us drooling. You might recall him from the 8-bit device we showed you before. The Nanotouch is roughly the dimensions of a 96×64 OLED screen(slightly larger than a quarter), with about 1/3 to 1/2 of an inch of stuff packed behind it.  The screen itself is mounted atop 4 buttons. This allows you to depress the screen edges for navigation.  He does mention that this design needs a little work to prolong the life of the screen, but we really like the intuitive way of navigating.  At its heart is an ATmega32u4.

We thought his last version was fantastic, but this one has us enamored. He states he’ll publish schematics and code, as he did before. We just didn’t want to wait to share.

[thanks Joakim]

VLC media player 0.9.2 released

VideoLAN just released VLC media player 0.9.2. VLC is probably the best known open source media player, and supports most audio/video formats without additional codecs. Before VLC, we usually installed buggy codec packs to watch videos in Winamp or Windows Media Player. We’ve found the nightly builds to be pretty stable for the past month, but it’s nice to see the final version released.

Download Squad gushed over the new interface design, but omitted the real change — VideoLAN switched from wxWidgets to the Qt toolkit. Among many changes, Qt allows video effects to be applied without restarting the media.

One of our favorite new features is an adjustments and effects menu for quick picture, sound, and subtitle tweaks. The new version has better support for flash videos (FLV), and will stream from most online video sharing sites. See the full changelog at the VideoLAN wiki, and help out if that’s your thing.

[via Download Squad]

Hackit: Network Attached Storage?


With each passing day the rate we acquire digital media increases (we don’t even bother unpacking our CDs when we move anymore). Large publishers have started moving away from DRM, which means we’ll be buying even more digital media in the future. Acquiring all of this nonphysical property puts importance on not just making it easily accessible, but also protecting it from destruction. Slashdot asked for reader suggestions of what NAS to buy; we’ve compiled some of the options below and want to know what you use.

Continue reading “Hackit: Network Attached Storage?”

Make a universal Macbook Air Superdrive


For $99, Apple will happily sell you a slick USB superdrive (aka DVD burner) that only works with the MacBook Air. [tnkgrl] swapped out the USB-IDE interface with a generic $9 unit to make it work with everything else. The generic board required a few mods: relocating the crystal oscillator along with the amputation of its daughter-board that carried an external power connector, usb connector and some caps.