XM-Hell strikes single-sign-on systems: Bugs allow miscreants to masquerade as others

Yeah, I’m so totally Sarah from accounts…

By John Leyden


Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming.

Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially exploited by hackers to log into systems, masquerade as other users, and access their accounts.

Single-sign-on systems (SSOs), for those who don't know, are typically used by enterprises, and large websites, to allow users and customers to log into lots of different services using one username and password pair – plus any two-factor authentication methods, of course. It means folks can sign into apps on phones, webpages on their desktop PCs, and so on, using one set of credentials.

According to the US Homeland Security-backed CERT, the Duo Network Gateway, OneLogin’s python-saml and ruby-saml, Clever’s saml2-js, the OmniAuth-SAML, and the Shibboleth openSAML C++ SSO toolkits are vulnerable to authentication bypass attacks. Vendors of similar technology are potentially affected, too.

The security shortcomings were first discovered by Duo in its own product, and follow up work revealed that other makers of SSO software were also affected. This is therefore a new class of bug, lying within the processing of SAML data.

Duo worked closely with US-CERT and the aforementioned developers since December to patch the bugs, and went public with its findings on Tuesday now that all the fixes are, we're told, available.


According to CERT: "A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider."

That sounds as though any unauthenticated scumbag can gain control of any account. However, Duo's Kelby Ludwig noted that to practically exploit this class of security hole, an attacker has to be logged in. Thus, the flaws allows a rogue user or customer to impersonate another person on the system, which still isn't very nice.

"This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password," explained Ludwig.

Ludwig's advisory has the full technical details, but to briefly summarize: when signing in, the system that performs the identity check produces a SAML response, which is sent to the system providing the service. This response contains, among other things, the account ID of the user logging in, and a digital signature of the data. That signature is supposed to ensure the information is tamper-proof: a tweaked response will not match its signature, and thus will be discarded.

It is, however, possible to log into an identity system, and carefully alter the valid SAML response so that it has a stranger's account ID instead of your own, all while keeping the signature valid. This modified access key is then presented to the service provider, and it appears to be legitimately generated by the identity checking system, due to the valid signature. Thus, you can log in as the stranger using this forged SAML response.

The trick is to exploit the fact that XML comments are skipped when generating the signature, but are not fully skipped when extracting the user account ID string. Oops.


Steve Manzuik, director of security research at Duo Security, told El Reg that the advisory is in "no way an attempt to criticize competitors’ products. In fact, the coordinated disclosure alongside our own customer notification is intended to do the exact opposite."

"This vulnerability was identified during an internal review to vet possible software dependencies," he explained. "It was after we identified that issue, that we felt other SAML libraries could be affected by the same or similar issues. That hypothesis turned out to be correct. We found a vulnerability that affects multiple SAML libraries. These libraries can be used by organizations to enable, for example, Single-Sign-On between websites in their organization."

So: check your SSO library or provider for any security updates, and apply them when you can, ideally before miscreants start to exploit this class of bug. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Data centre mergers and acquisitions hit $20bn in 2017 feeding frenzy

All-time high for industry

Oracle's Q1: Cloud, great. Hardware, meh. Mergers, unlikely

Larry previews 'self-driving' database plans

IBM sits draped over the bar at The Cloud or Bust saloon. In walks Red Hat

Analysis Thirsty for cloud? Let's have a drink

HPE is mulling 'tuck-in' buys of cloud firms, gros fromage says

Heavy lifting work done and dusted

BT and EE, O2 and Three: Are we in for a year of Euro telco mega-mergers?

Analysis Not if Brussels can help it

Astroboffins discover when white and brown dwarfs mix, the results are rather explosive

350-year monkish mystery could be down to a merger

Dinosaurs permitted to mate: But what does AT&T Time merger mean for antitrust – and you?

Analysis Cord-cutters swung the court

Qualcomm asks Broadcom over for lunch and a proper chat about being bought

Brushes off latest $121bn bid as too low, too risky, but is willing to discuss deal

World+dog did 107% more tech, telco and media deals this year so far

Analyst pins global deal values at $371bn for first half 2018

Google slurps cloudy single-sign-on concern Bitium

Ad giant has an 'Identity Vision' and now sees it more clearly