SLACK, a cloud-based communications platform provided an update patch for its platform that exploits the Security Assertion Markup Language, known as SAML, which uses an authentication security hole.
The drawback in the implementation of the Security Assertion Markup Language by the platform had an impact on the company’s customers because they are primary customers of the authentication to access SLACK accounts.
So what is SAML?
It is an open standard which describes how the businesses offer its customers authentication and authorizations. In addition, SAML is a framework that is applied to exchange information between service and identity providers. Finally, it is employed for signing-on implementations through various platforms or other recourses.
The SAML vulnerability was uncovered by Antonio Sanso, a senior software engineer at Adobe, in February 2017.
According to the platform’s bug bounty program, the vulnerability was confirmed and A. Sanso received $3,000 award for this discovery.
The vulnerability I found is part of the class known as ‘confused deputy problem.
The researcher indicated in his personal blog post on the discovery.
A confused deputy problem is a specific type of aggravation bug and discloses a device application which allows permissions to it for one thing, but decreases the authority and exploits those permissions to something else.
In addition, according to A. Sanco, Basically, SAML assertions, between others contains an element called Audience and AudienceRestriction.
The researcher uncovered instances of a SLACK SAML logins credentials authentication. This provides the capability to former SLACK users (with no longer valid assertion) to get access to a SLACK account which is expired and no longer available legally.
In addition, the researcher also discovered an expired assertion that could be exploited by cybercriminals and nefarious applications.
To be more concrete I used an old and expired (yes the Assertion was also expired!!) Github’s Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to SLACK. SLACK happily accepted it and I was logged in SLACK channel with the username of this old and expired Assertion that was never meant to be a SLACK one.
The communications platform did not provide any answers to questions about this case. SLACK only noted that the issue has been solved by this time and patches for SAML security authentication hole are ready and available for its users.