Hackspace Websites And The Great Software Trap

Part of the job of a Hackaday writer involves seeking out new stories to write for your delectation and edification. Our tips line provides a fruitful fount of interesting things to write about, but we’d miss so much if we restricted ourselves to only writing up stories from that source. Each of us writers will therefore have a list of favourite places to keep an eye on and catch new stuff as it appears. News sites, blogs, videos, forums, that kind of thing. In my case I hope I’m not giving away too much to my colleagues when I say I keep an eye on the activities of as many hackspaces as I can.

So aside from picking up the occasional gem for these pages there is something else I gain that is of great personal interest as a director of my local hackspace. I see how a lot of other spaces approach the web, and can couple it to my behind-the-scenes view of doing the same thing here in our space. Along the way due to both experiences I’ve begun to despair slightly at the way our movement approaches the dissemination of information, the web, and software in general. So here follows a highly personal treatise on the subject that probably skirts the edge of outright ranting but within which I hope you’ll see parallels in your own spaces.

Before continuing it’s worth for a moment considering why a hackspace needs a public website. What is its purpose, who are its audience, and what information does it need to have?

Continue reading “Hackspace Websites And The Great Software Trap”

SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and MYDIGIPASS.com’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts By Exploiting Social Login Mechanisms”