O365 auth bypass

[Cantor, Scott]

On 4/27/16, 1:18 PM, "users on behalf of Rob Gorrell" <users-bounces at shibboleth.net on behalf of rwgorrel at uncg.edu> wrote:



>thought i would past this along for those that haven't seen... Looks like Microsoft had some significant problems with their SAML implementation in O365.
>
>http://www.economyofmechanism.com/office365-authbypass.html

More precisely in their application. There's nothing in SAML or any federated protocol that mitigates this, and even the Shibboleth-defined scope filtering idea only applies to some attributes. If you had a service using, say, employee number to link users in, you're going to be vulnerable without other checks.

This is being misrepresented (and dangerously so, IMHO) as a SAML issue because it gives people the idea that the middleware is enough to prevent this kind of problem. It's an application authorization bug and has to be approached from the application perspective to address properly without a lot of assumptions.

One of the interesting things that cropped up in this though is that all this agonizing over their misuse of persistent ID appears to be even worse than it appeared: they apparently require it be present but don't *use* it...

-- Scott