A serious flaw has been discovered in the Spiceworks application, which creates an admin account for anyone logging in using their Facebook or LinkedIn details.
An admin with malicious intentions could change or delete passwords and cause havoc across the network. The Spiceworks application allows a network of 6 million IT professionals to exchange product reviews and publish how-tos.
According to a post on the Spiceworks network by a user called Darren K Smith, the issue is a new one, affecting the latest version of the application (7.4.00065) and could be exploited when authenticated on the login page for administrators: “This is new. Our previous version did not have the Facebook and LinkedIn buttons on the HelpDesk Admin Login screen.”
“To test we went to the Login Sceen for Admins (Not the User Portal). Clicked the Facebook login button. Enter credentials for a Facebook account and Spiceworks logged us into our helpdesk and when we reviewed the User Account settings, Spiceworks had created a new User account based on the facebook email along with giving it the Admin Role.”
Softpedia quotes a verification engineer at Spiceworks saying the glitch had been replicated and that the security issue “requires immediate attention,” with a fix being planned for this week.
In the interim, Spiceworks has disabled social sign-in on the application until an updated version is available - users who have been locked out by this process will have to reset their password in order to regain access, according to Softpedia.