An increasing number of organisations are embracing
software-as-a-service or integrating social-media into their
consumer facing websites. Securing access to these external
services for employees or authenticating customers using a social
media identity is a common problem and an alphabet soup of
standards and libraries has sprung up in response including SAML,
SCIM, Open ID, Open ID Connect, OAuth, OAuth2 and many
others. These standards and protocols are increasingly mature
– they're baked into vendor offerings and RFPs
A recent
vulnerability analysis of SAML by researchers at the University
of Bochum in Germany highlights the dangers of blindly trusting
third-party libraries and protocols. In an ingenious attack
they managed to manipulate the SAML token to successfully pretend
to be any authenticated user they wished.
The attack didn't require network access or any high
privilege; they simply manipulated the digitally signed token and
managed to fool 11 of the 14 major SAML frameworks into accepting
their bogus credentials. Given the potential for widespread
access and the relative ease of exploit this is a significant issue
and neatly highlights the danger of familiarity.
SAML, to continue with this example, is now so baked into
federation thinking and the everyday language of products that
it's just assumed to be secure; "everyone's doing it
so if we use a well-known library we're safe right?" This
exploit serves to highlight how a continued professional scepticism
is still required even if we're comfortable with the technology
– use the standard, implement the library, but, never blindly
trust just because everybody knows how it works.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
