ここの記者は(少しは)分かっていそう。

There must be five ways to break your security

Their threat model makes certain assumptions:

that the attacker can access the target service and third-party IdP services; 
that the attacker can create free and paid accounts at the target service 
  but doesn't have admin rights; 
that the attacker can create accounts with IdP services and use these with the target service; 
and that the attacker knows the victim's email address and other basic details like first and last name.

Some of the attack variations assume being able to make the victim visit an attacker-controlled URL. The threat model also posits that the victim has enough security awareness to not respond to phishing, but allows that the victim ignores notifications sent from services where the victim has not yet established an account – an assumption the researchers claim is supported by prior research. As such, while these attacks do not depend directly on social engineering, they rely on certain kinds of social behavior.

1. Classic-Federated Merge Attack

The first of this is called the Classic-Federated Merge Attack, which requires the target service to support both classic (supply email address and password) account creation and SSO account creation through an IdP like Facebook Login.

1.1. 攻撃開始

The attacker uses the classic approach to sign for an account using the victim's email address and an attacker-chosen password.

1.2. sign up

Then at some later time, the victim signs up via an IdP.

1.3. It's not certain what will happen next.

The victim may or may not pay attention to notifications of account creation or of a pre-existing account, and could thwart the attack with a password reset.

But the attacker may also continue to be able to sign in via the classic method while the victim accesses the account via IdP.

CategoryDns CategoryWatch CategoryTemplate