SoylentNews is people
SoylentNews
A behavioral quirk in SAML libraries has left many single-sign-on (SSO) implementations vulnerable to abuse. It allows an attacker that has gained any authenticated access to trick the system into granting further access as a different user without knowledge of that user's password.
This could be used by an attacker who has compromised a low level limited access account to acquire access to third-party cloud services -- or it could be used by a malicious insider seeking access to reserved network areas (such as the payroll databases, or HR records).
The vulnerability was discovered by the research team of Duo Security, itself an SSO provider; and is described in a blog posted today. It affects many of the leading SSO providers, and probably affects the majority of proprietary company SSO developments.
[...] Not all SSO implementations are vulnerable to this glitch; but Duo has demonstrated that many are. All that is required from the attacker is a genuine account that he can 'modify' to his attack target, plus the relatively minor technical savvy to intercept and edit the SAML authentication as it passes through the browser.
Source: Widespread Vulnerability Found in Single-Sign-On Products
(Score: 3, Informative) by NotSanguine on Thursday March 01 2018, @07:21AM (7 children)
From TFA:
Vendor impact Information [cert.org]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Insightful) by driverless on Thursday March 01 2018, @09:14AM (6 children)
It's also not necessarily a vuln in SAML but yet another of the infinite vulns in XML signatures. The problem with them is that you're signing active content that can be modified, and modify itself, without invalidating the signature (this is a feature of XML signatures, no other data format allows you to change the signed data without also invalidating the signature, how cool is XML for allowing that?). This one is a perpetual vulnerability machine, there have been endless vulns based on this over time, all you need to do is look at something that relies on XMLDSig and you'll find more.
(Score: 2) by JoeMerchant on Thursday March 01 2018, @01:36PM (5 children)
Calling that a signature is like calling a screen door a security layer.
🌻🌻 [google.com]
(Score: 2) by driverless on Thursday March 01 2018, @01:44PM (4 children)
I don't think you understand the spirit of XML here. Having a signature that is still regarded as valid even if the signed content changes, and that can actually attack the signature-verification code (it's active content and it's being interpreted by a Turing machine) just shows how powerful and cool XML is. Primitive stuff like PGP and S/MIME can't do anything like this. This just goes to show that XML is much cooler than they are.
(Score: 2) by JoeMerchant on Thursday March 01 2018, @04:04PM (3 children)
And I say again: "Calling this a signature is like calling a screen door a security layer."
Throughout the rest of the (oh, so not cool) industry, a signature means something: specifically that the content was created by the signer, and only the signer can make a valid signature.
We could also start calling the water that condenses in clouds and falls from the sky "kittens" when it falls in the cool patio outside the hip coffee shop, 'cause kittens are cool too, right? Except that everyone else who calls something "kittens" means something very different than water falling from the sky.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @04:18PM (2 children)
Apparently you missed the signature of sarcasm in the post you replied to.
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @05:34PM (1 child)
Well the internet isn't here for sarcasm, but I'll give you one guess what it is really for
(Score: 0) by Anonymous Coward on Thursday March 01 2018, @07:03PM
Sarcasm?