An increasing number of organisations are embracing software-as-a-service or integrating social-media into their consumer facing websites.  Securing access to these external services for employees or authenticating customers using a social media identity is a common problem and an alphabet soup of standards and libraries has sprung up in response including SAML, SCIM, Open ID, Open ID Connect, OAuth, OAuth2 and many others.  These standards and protocols are increasingly mature – they’re baked into vendor offerings and RFPs

A recent vulnerability analysis of SAML by researchers at the University of Bochum in Germany highlights the dangers of blindly trusting third-party libraries and protocols.  In an ingenious attack they managed to manipulate the SAML token to successfully pretend to be any authenticated user they wished.

The attack didn’t require network access or any high privilege; they simply manipulated the digitally signed token and managed to fool 11 of the 14 major SAML frameworks into accepting their bogus credentials.  Given the potential for widespread access and the relative ease of exploit this is a significant issue and neatly highlights the danger of familiarity.

SAML, to continue with this example, is now so baked into federation thinking and the everyday language of products that it’s just assumed to be secure; “everyone’s doing it so if we use a well-known library we’re safe right?” This exploit serves to highlight how a continued professional scepticism is still required even if we’re comfortable with the technology – use the standard, implement the library, but, never blindly trust just because everybody knows how it works.

Paul Boichat
Paul is a Partner in Deloitte’s Enterprise Risk Services practice specialising in Security & Resilience.  He has significant consultancy experience helping organisations plan, design and deliver large scale security programmes across many sectors.
LinkedIn | Twitter