▾ G11 Media Network: | ChannelCity | ImpresaCity | SecurityOpenLab | Italian Channel Awards | Italian Project Awards | Italian Security Awards | ...
InnovationOpenLab

New Security Alert from Push Security: Cross-IdP Impersonation Threatens SSO Security to Gain Unauthorized Access to Downstream Apps

Security researchers at Push Security, a pioneer in identity threat detection and response (ITDR), have identified a new technique used by attackers known as "Cross-IdP Impersonation," that enables at...

Business Wire

LONDON: Security researchers at Push Security, a pioneer in identity threat detection and response (ITDR), have identified a new technique used by attackers known as "Cross-IdP Impersonation," that enables attackers to hijack the single sign-on (SSO) process to gain unauthorized access to downstream applications without compromising a company's primary identity provider (IdP). Recent high-profile vulnerabilities, including ones involving Zendesk and Google, demonstrate the increasing risk this technique poses for organizations relying on SSO for secure access to software-as-a-service (SaaS) apps.

Cross-IdP impersonation exploits a flaw in SSO configurations by allowing attackers to create fraudulent IdP accounts matching an organization’s domain, which are then used to access downstream apps via SSO. This tactic enables unauthorized access to various downstream applications, bypassing even the most secure primary IdP protections.

Notable Examples of Cross-IdP Impersonation
Two recent cases have highlighted the impact of Cross-IdP impersonation. In one instance, a 15-year-old researcher abused a flaw in Zendesk to create fraudulent Apple SSO accounts linked to hundreds of legitimate company domains. Using this newly created IdP account, the researcher could infiltrate connected apps, including Slack, exposing potentially sensitive information across multiple business applications.

In another example, a now-resolved Google domain verification flaw previously enabled newly created Google Workspace accounts to authenticate via SSO without requiring domain verification, which could then be used to access login to downstream applications usually accessed with a different SSO provider.

Security Implications and Attack Surface
“Cross-IdP impersonation could be likened to ghost logins on steroids,” said Dan Green, security researcher at Push Security. “This attack method bypasses traditional security safeguards that protect main IdP accounts. It doesn’t matter how locked down your primary IdP account is if attackers can simply create a new one for your domain.”

“In the examples we’ve seen in the wild, these attacks required no user interaction by exploiting configuration weaknesses in IdP and SaaS services. But the same result could be achieved through convincing social engineering scams, without needing to phish MFA factors or lure users to malicious webpages,” he continued.

Security tests on the most popular applications used by Push customers revealed that 3 in 5 of the apps tested do not require re-verification by default when adding a new SSO login method, meaning that an attacker can log in with a newly registered IdP and take over the accounts on downstream applications.

Mitigation and Security Recommendations
Push Security recommends that organizations take proactive steps to defend against Cross-IdP impersonation:

  • Set Email Alerts: Implement automated email alerts for new IdP activation emails sent to employees, providing visibility into unauthorized IdP connections to company domains.
  • Restrict Account Conversion: Where configurable, prevent the conversion of personal accounts to corporate accounts within primary IdP platforms.
  • Enforce Re-Verification Protocols: Where configurable, require downstream applications to enforce re-verification when adding new SSO methods. Requiring login with the original method, rather than email approval, is a more secure approach.

A Growing Threat Landscape
With the success of recent attacks, both attackers and security researchers are expected to focus increasingly on Cross-IdP impersonation techniques.

“As applications typically integrate with several IdPs, the inconsistencies in authentication are creating exploitable gaps in SaaS security across applications,” said Green.

Organizations are urged to monitor and tighten SaaS and IdP configurations and prepare to detect and respond to unauthorized SSO methods being used.

Cross-IdP impersonation could be mitigated with a unified approach to SSO verification by SaaS providers by ensuring re-verification upon a new method being added, but companies must act now to protect their data, accounts, and applications.

Push Security has updated its popular SaaS attack matrix resource, used by security teams to simulate and defend against SaaS and identity attacks, and has provided more details on this cross-IdP impersonation trend on the Push Security blog: https://pushsecurity.com/blog/cross-idp-impersonation

About Push Security
Push Security recognizes that identities sprawled across the internet are now the primary attack surface and the route of least resistance for attackers. Push helps security operations teams to detect and stop attacks before user accounts can be compromised with its browser-based identity threat detection and response (ITDR) platform designed to detect attack techniques used earlier in the kill chain such as phishing, AitM/BitM toolkits, credential stuffing, session hijacking, and more. Push Security was founded by former red team members skilled in offensive security and security operations and is backed by Decibel, Google Ventures and other notable angel investors. For more information, visit https://pushsecurity.com or follow @pushsecurity.

Fonte: Business Wire

If you liked this article and want to stay up to date with news from InnovationOpenLab.com subscribe to ours Free newsletter.

Related news

Last News

RSA at Cybertech Europe 2024

Alaa Abdul Nabi, Vice President, Sales International at RSA presents the innovations the vendor brings to Cybertech as part of a passwordless vision for…

Italian Security Awards 2024: G11 Media honours the best of Italian cybersecurity

G11 Media's SecurityOpenLab magazine rewards excellence in cybersecurity: the best vendors based on user votes

How Austria is making its AI ecosystem grow

Always keeping an European perspective, Austria has developed a thriving AI ecosystem that now can attract talents and companies from other countries

Sparkle and Telsy test Quantum Key Distribution in practice

Successfully completing a Proof of Concept implementation in Athens, the two Italian companies prove that QKD can be easily implemented also in pre-existing…

Most read

SnapLogic Named a Visionary in the 2024 Gartner® Magic Quadrant™ for Data…

SnapLogic, the leader in generative integration, today announced that it has been named by Gartner as a Visionary in the 2024 “Magic Quadrant for Data…

JetBlue Names Justin Thompson Vice President, IT Data and Analytics

JetBlue (Nasdaq: JBLU) today announced the promotion of Justin Thompson to vice president, IT data and analytics. In this role, Thompson will oversee…

Gigamon Recognized by Frost & Sullivan with a 2024 Best Practices Market…

#CloudSecurity--Gigamon, a leader in deep observability, announced Frost & Sullivan recently analyzed the network packet brokers (NPB) market and…

InfoVision Wins Top Spot at the Prestigious North American Software Testing…

#BestOverallTestingProject--InfoVision, a global leader in IT services and enterprise digital transformation, has been named the winner in the ‘Best Overall…

Newsletter signup

Join our mailing list to get weekly updates delivered to your inbox.

Sign me up!