Posted by Or Peles on Dec 04

Hi,

We have discovered an impersonation attack on social login protocols (e.g.
Oauth 1.0 / 2.0 used for authentication) based on a combination of an
implementation vulnerability existing in some identity providers (e.g.
LinkedIn, which has fixed the issue) and a known design problem in the
relying (third-party) website side.

The identity provider vulnerability is allowing the use of un-verified
email in the social login authentication…