SSO Account Takeover Exploited Email as Identity Key Instead of Provider-Subject Pair
A security vulnerability in a multi-tenant SSO platform allowed attackers to take over any user account without a password or phishing by exploiting how federated login assertions were resolved to local accounts. The system used the email address from an IdP assertion as the primary lookup key, but in a multi-tenant environment any tenant controlling their own SAML or OIDC provider could assert any email string they chose. Because the assertion signature was cryptographically valid, all individual security checks passed — yet the wrong account was granted access. The root cause was treating a forgeable, globally non-unique field as a trusted identity anchor rather than using the unforgeable (provider, subject-identifier) pair scoped to each connection. The fix involved abandoning email-based account resolution entirely and keying returning users on the (provider, sub) tuple, relegating email to a non-authoritative linking hint only.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in