SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms”

Hackaday in the social tangle

Like any other organization out there, we’re always trying to find new ways to reach our audience. Admittedly, we’re not the fastest when it comes to adopting a new social communication site. We’re working on it though, trying to be a bit more interactive … or just plain active.

So, if you’re looking for other ways to get your hacking fix, or see some interesting commentary, find us on facebook, twitter, our own forums, and now G+. We just signed up to G+ and our name is “Hackie Smith”. If you need an invite, email us at theofficialhackaday@gmail.com see below.   Sometimes there’s good discussion in those places that doesn’t end up here on the site.

You can also find several of us spattered across the web in sites like Reddit and Slashdot.

[Update: Our g+ page got shut down. Feel free to find any of the writers on g+. I’ll give out invites, look for “Caleb Kraft” or 60mango@gmail]

Foundation cooling

Foundation with Copper

Overclockers are always trying to come up with new, colder, and quieter ways to keep their PCs cool. [gigs] was so dedicated to this, he decided to lay 6 meters of copper pipe to use as a radiator in his new house’s foundation. As of now, the foundation is laid (copper pipes and all), and the forum posts come complete with finished slab pics, though there is no house to speak of yet.

[via Slashdot]

Distributed computing in JavaScript

mapreduce

We’ve heard about the idea of using browsers as distributed computing nodes for a couple years now. It’s only recently, with the race towards faster JavaScript engines in browsers like Chrome that this idea seems useful. [Antimatter15] did a proof of concept JavaScript implementation for reversing hashes. Plura Processing uses a Java applet to do distributed processing. Today, [Ilya Grigorik] posted an example using MapReduce in JavaScript. Google’s MapReduce is designed to support large dataset processing across computing clusters. It’s well suited for situations where computing nodes could go offline randomly (i.e. a browser navigates away from your site). He included a JavaScript snippet and a job server in Ruby. It will be interesting to see if someone comes up with a good use for this; you still need to convince people to keep your page open in the browser though. We’re just saying: try to act surprised when you realize Hack a Day is inexplicably making your processor spike…

[via Slashdot]

Hackit: DTV converter boxes?

zenith

An anonymous Slashdot reader asked today what was the best digital television to analog converter box. He was looking for one with the best hacking potential. We actually purchased a Zenith DTT900 HD converter box this summer specifically wondering about the hacking potential. We did a teardown and you can find a full gallery on Flickr. Our conclusion was this: there’s not much there. You’re talking about a box that takes a digital RF signal and turns it into a crappier looking analog signal over composite. There isn’t much you can do outside of its designed use. Do you have any ideas what else can be done with it?

Slashdot commenter [timeOday] did mention a Tivax brand box that features a serial port. You can use it to issue remote commands to the box.

Not much has been said about the actual coupons. We’ve got a scan of them embedded below. The $40 coupons are essentially credit cards. We ran ours through a magstripe reader confirming this. Even though the card isn’t stamped with the recipient’s name, it is stored on the magstripe.

Continue reading “Hackit: DTV converter boxes?”

Use the CPU cache to prevent cold boot? No.

coldboot

Frozen Cache is a blog dedicated to a novel way to prevent cold boot attacks. Last year the cold boot team demonstrated that they could extract encryption keys from a machine’s RAM by placing it in another system (or the same machine by doing a quick reboot). Frozen Cache aims to prevent this by storing the encryption key in the CPU’s cache. It copies the key out of RAM into the CPU’s registers and then zeroes it in RAM. It then freezes the cache and attempts to write the key back to RAM. The key is pushed into the cache, but isn’t written back to RAM.

The first major issue with this is the performance hit. You end up kneecapping the processor when you freeze the cache and the author suggests that you’d only do this when the screen is locked. We asked cold boot team member [Jacob Appelbaum] what he thought of the approach. He pointed out that the current cold boot attack reconstructs the key from the full keyschedule, which according to the Frozen Cache blog, still remains in RAM. They aren’t grabbing the specific key bits, but recreating it from all this redundant information in memory. At best, Frozen Cache is attempting to build a ‘ghetto crypto co-processor’.

We stand by our initial response to the cold boot attacks: It’s going to take a fundamental redesign of RAM before this is solved.

[via Slashdot]

Apple tries to stop sneaker hackers

Apparently, Apple has decided that extending DRM to your Nike accessories will keep hackers at bay.  Sick of people cutting the sensors out of their Nike shoes for use on other apparell, they have applied for a patent. Ever noticed the warning that it’s illegal to pull the tag off of a mattress?  Did that stop you?

[via Slashdot]