SShortSingh.
Back to feed

SSO Account Takeover Exploited Email as Identity Key Instead of Provider-Subject Pair

0
·1 views

A security vulnerability in a multi-tenant SSO platform allowed attackers to take over any user account without a password or phishing by exploiting how federated login assertions were resolved to local accounts. The system used the email address from an IdP assertion as the primary lookup key, but in a multi-tenant environment any tenant controlling their own SAML or OIDC provider could assert any email string they chose. Because the assertion signature was cryptographically valid, all individual security checks passed — yet the wrong account was granted access. The root cause was treating a forgeable, globally non-unique field as a trusted identity anchor rather than using the unforgeable (provider, subject-identifier) pair scoped to each connection. The fix involved abandoning email-based account resolution entirely and keying returning users on the (provider, sub) tuple, relegating email to a non-authoritative linking hint only.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

DeepSeek Leads on Price and Speed as Chinese AI APIs Face Head-to-Head Test

A software architect with a decade of production system experience conducted weeks of stress testing on four major Chinese AI APIs — DeepSeek, Qwen, Kimi, and GLM — evaluating p99 latency, failover behavior, and cost per million tokens under real workloads. DeepSeek's V4 Flash model emerged as the top price-performance pick, delivering around 60 tokens per second with stable tail latency at just $0.25 per million output tokens. Qwen, backed by Alibaba, stood out for offering the widest range of model sizes, including budget options as cheap as $0.01 per million tokens. Kimi commanded the highest prices at $3.00–$3.50 per million tokens but justified the cost with superior performance on reasoning-heavy tasks. GLM, developed by Zhipu AI, distinguished itself with the strongest Chinese-language quality and multimodal support not matched by the other three providers.

0
ProgrammingDEV Community ·

Residential Proxies Explained: Choosing the Right IP Strategy for Developers

Developers building scrapers or automation tools often face blocks and CAPTCHAs in production, making proxy selection a critical technical decision. Residential proxies use real ISP-assigned IPs, making them harder for anti-bot systems to detect compared to datacenter alternatives. Different proxy types serve distinct purposes: rotating residential IPs suit large-scale scraping, while static ISP proxies work better for stateful tasks like logins and account sessions. Providers such as Oxylabs and Bright Data cater to enterprise-scale needs, while IPRoyal, DataImpulse, and Webshare are recommended for budget or prototype use cases. Most providers offer a standard host-port endpoint with username-password authentication, allowing developers to control IP rotation or session stickiness directly through the username string.

0
ProgrammingDEV Community ·

Physics Graduate Mark Tony Begins Coding Journey with Payilagam

Mark Tony, a fresh entrant to the technology field with an undergraduate background in Physics, has announced the start of his coding journey. He describes the move as fulfilling a passion he was unable to pursue during his college years. Tony has begun his learning venture in collaboration with Payilagam, a coding education platform. He has chosen the DEV Community as the starting point for documenting and sharing his developer journey.

0
ProgrammingDEV Community ·

Ungoverned AI Workloads Are Quietly Inflating Enterprise Cloud Bills

As organizations rapidly adopt AI services, costs from LLM endpoints, GPU instances, and vector databases are escalating without adequate oversight. Engineers are deploying AI workloads across cloud environments, but few teams have set budget limits, alerts, or usage guardrails. Some environments have seen AI service costs double within 30 days, with surprises only surfacing at month-end billing. Industry observers are framing this as a FinOps and cloud security challenge rather than a purely technical AI problem. Experts argue that the same governance disciplines applied to traditional cloud infrastructure must now be extended to AI workloads before costs spiral further.

SSO Account Takeover Exploited Email as Identity Key Instead of Provider-Subject Pair · ShortSingh