WELCOME

The attacker managed to grab the username and password from

June 23, 2017 by Catherine Pope

The attacker managed to grab the username and password from the login interface and use it to impersonate the user. He then used a third-party website to inject a malicious code into the login page. The attacker then made his own fake login page, claiming to have the credentials of "a Russian hacker." The social security system in question didn’t recognize that the login page had been created with SSO and created a fake login page so that it was possible to impersonate the login page's login window.

The Social Security System in question was the same site that used to give fake social security numbers to fake login pages. When the identity of the site was exposed, the attacker would then impersonate the login page's login window. The login window was only visible for a few seconds, but when the username and password were passed, the login window was opened and SSO was created. It was not difficult to determine the login window wasn’t compromised because the system was designed to be an honest alternative to SSO.

The research was published online Feb. 26 in the journal Security Research and Education.

The researchers were testing the social security system on two different social sites and found that the login UI was not quite as good as Facebook's, which had to perform far more complicated authentication and verification.

In addition to the SSO, the researchers found that the social security system also used a browser vulnerability known as Vulnerability #1, which allows attackers to gain unauthorized access to the system via a vulnerability that isn’t patched for the software. While a malicious page would appear to bypass the vulnerability, it is not entirely clear how the attacker could gain access to the system and then redirect the user to an easy-to-use webpage.

The research did not reveal how the attacker could gain unauthorized access to the social security system with a browser vulnerability like Vulnerability #1, but it did indicate that the social security system is a good bet for a simple attack. The researchers say it is very easy to bypass SSO via browser vulnerabilities, such as Vulnerability #1, and that the social security system may offer a better solution.