Identity Theft: Attacks on SSO Systems

Conference:  BlackHat USA 2018



The presentation discusses the exploitability of the common truncation vulnerability in SSO systems, with a focus on the identity provider (IDP) and its configurations.
  • GitLab's vulnerability to the common truncation vulnerability is used as a case study for exploitation
  • The IDP's features and configurations greatly influence exploitability
  • Two-factor authentication may not completely eliminate the vulnerability
  • Self-registration and mutable identities increase the impact of the vulnerability
The presentation explains how an attacker can exploit GitLab's vulnerability by truncating their name ID to match an external identifier that maps to the target user. The attacker can then access the victim's profile information and even update it with their own information. The presentation also highlights the impact of mutable identities, where users can influence their SSO identity and greatly affect the vulnerability's impact.


SAML is often the trust anchor for Single Sign-On (SSO) in most modern day organizations. This presentation will discuss a new vulnerability discovered which has affected multiple independent SAML implementations, and more generally, can affect any systems reliant on the security of XML signatures. The issues found through this research affected multiple libraries, which in turn may underpin many SSO systems. The root cause of this issue is due to the way various SAML implementations traverse the XML DOM after validating signatures. These vulnerabilities allow an attacker to tamper with signed XML documents, modifying attributes such as an authenticating user, without invalidating the signatures over these attributes. In many cases, this allows an attacker with authenticated access to a SAML Identity Provider to access services as an entirely different user - and more easily than you'd expect. This talk will also discuss another demonstrated class of vulnerabilities in user directories that amplify the impact of the previously mentioned vulnerability, and in some cases, can enable authentication bypasses on their own.