By Marla Hay | Posted on December 09, 2014
Late last week, news broke that IBM’s X-Force Application Security Research team uncovered a specific vulnerability on some websites using social login that would allow a hacker to impersonate someone by creating a fraudulent account with certain social identity providers. This attack only works if the site using social login does not have effective account merge practices in place. If you’re using any Janrain product that includes our merge account flow, you are not vulnerable to this attack. If not, a description of the conditions necessary for the attack are below, as are simple instructions to protect your users. We also want to emphasize that some of the identity providers that did have a vulnerability (like LinkedIn and Microsoft) have rectified the issue that made this attack possible. Furthermore, the attack requires a very specific set of conditions in order to work (see figure below), and luckily, is completely avoidable if your account merge flow is configured correctly.
As illustrated, amongst the conditions required for this attack, the third is entirely within your control. Here’s how to prevent this type of fraudulent activity on your own properties:
1. When setting up an account merge process , only use the verified email address value from a social login identity provider.
Ensure that in your account merge process, you’re using the “verified email address” from the social provider. If you’re only using “email address” to merge user accounts, that address may or may not be verified, and you could be setting yourself for an attack. Some identity providers don’t even make a “verified email address” an option—but that doesn’t necessarily mean that your website is automatically vulnerable to this attack. It just requires a little bit of extra work for your team.
2. If the identity provider doesn’t provide a verified email address, ensure that the user proves ownership of both accounts before performing the account merge.
An effective account merge process will require a user to prove ownership of the original account, before permitting access from a secondary social account. It may be an extra step for the end user, but it’s the most reliable way to ensure that a fraudulent account isn’t merged with a legitimate account. It’s well worth the precaution.
3. Use a purpose-built customer identity management platform for registration and login, and rely on us to be the experts.
At Janrain, we spend a lot of time thinking about digital security, so our account merge process was built to ensure that our customers’ accounts can’t be compromised. Our customer identity management platform includes a secure and robust account merge flow that’s pre-built according to these best practices—which means that customers using our platform were never at risk.
Janrain has validated that the majority of the identity providers we make available to our customers are not vulnerable to this attack. You can learn in more detail about the different data payloads made available by our identity providers, including whether they provide a verified email address, by exploring the Janrain Provider Guide. For additional information and recommendations for ways identity providers can mitigate this vulnerability, read IBM’s full whitepaper on their SpoofedMe research.
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…
The Janrain Identity Cloud® just got new reporting, analytics and visualization tools to help…