SAML protocol bug let hackers log in as other users

A validation bug in how some single sign-on products implemented an open authentication standard could have allowed an attacker to log in to a site or service as though they were the victim they were targeting.
Written by Zack Whittaker, Contributor

(Image: file photo)

A vulnerability in how some products have implemented a single sign-on protocol that lets users log in to websites and services with a single username and password could let an attacker log in instead.

The flaw isn't with the open authentication standard, more in how makers of password and online identity managers have implemented the code, according to security firm Duo.

Single sign-on solutions are commonly used by enterprise customers who use their company's login information and, through a third-party identity service, can log into other online sites and services, like email and social media accounts in a flash.

But this new vulnerability lets an attacker take the authenticated response to a login request and switch a portion with an attacker's information instead.

That means an attacker can log in as though they were the victim they were targeting.

The exploit works by modifying the response once a username and password has been verified. It then sends a message back to the user's browser to log them in. If an attacker modifies the response, the validating signature is also meant to change -- but if the signatures aren't properly checked, the system is none the wiser.Duo researchers said the results of the attack "varies greatly" between services at risk by the bug.

"The presence of this behavior is not great, but not always exploitable," the research said, because different setups produce different results.

The researchers worked closely with Carnegie Mellon University's public vulnerability database CERT, which issued its own guidance Tuesday, as part of the effort to responsibly disclose the bug to several companies.

Duo's own network gateway product was vulnerable to the SAML implementation flaw, the researchers said, warning users to upgrade their firmware.

Several companies affected by the vulnerability, including Clever, did not respond to a request for comment prior to publication.

A OneLogin spokesperson confirmed the company was affected by the implementation bug.

"There is no action required for users of the OneLogin platform itself; the required action is for developers that maintain apps that depend on any of the toolkits listed in the security advisory to use the provided patched versions," the spokesperson said.

A spokesperson for Shibboleth, an open source single sign-on project, did respond, and expressed gratitude to the researchers.

"Finding this was a very valuable bit of work by Duo, for which we are certainly appreciative," sai Scott Cantor, a developer, in an email. "We had a very similar bug recently that was patched last month, and this was a generalization of the problem. We decided to revisit the affected section of the code and redo it from scratch to avoid any similar bugs in the future."

Cantor said that fewer Shibboleth deployments are likely to be affected because the project requires XML encryption, which protects sensitive data in transit, but other sites and services "seem unwilling to support."

"Many cloud providers refuse to support XML Encryption, and they are likely among those that will be affected," he said. "We expect to be testing for and finding vulnerable implementations in our community for a while after this."

The researchers said that accounts with two-factor setup are less likely to be hacked without authorization, as the second token is sent to the owner's phone and is much harder to intercept.

Editorial standards