SAML vulnerability abuses SSO to impersonate other users
A flaw within the Security Assertion Markup Language standard can be exploited to enable hackers to pose as someone else.
Attackers can manipulate a flaw within single-sign-on (SSO) systems to log in as another account user, Duo Security has disclosed.
Vulnerabilities in various libraries’ handling of Security Assertion Markup Language (SAML) can be modified to allow an attacker to pretend to be someone else.
This is according to Duo researcher Kelby Ludwig, who recently exposed the vulnerability in the Duo Network Gateway.
According to the report, OneLogin’s python-saml and ruby-saml, Clever’s saml2-js, the OmniAuth-SAML, and the Shibboleth openSAML C++ SSO toolkits were also affected by the bug.
Ludwig explained that a remote attacker could modify the SAML content without invalidating the cryptographic signature which is needed for authentication.
This means that a hacker could modify the user ID to make it appear as though they are using another person’s account without knowing their password.
Ludwig did add that an attacker would have to have a log-in in order to access the SAML in the first place.
He noted: “Exploitation of the bug is very simple. It just requires intercepting the SAML message and changing seven characters.”
While posing as another user may not seem particularly dangerous, Ludwig added that it could enable hackers to easily change access from a low-level user to an administrator.