O365 auth bypass

[Ioannis Kakavas]

On 28/04/2016 01:41 πμ, Tom Scavo wrote:
> On Wed, Apr 27, 2016 at 6:26 PM, Ioannis Kakavas <ikakavas at noc.grnet.gr> wrote:
>> On April 27, 2016 8:28:01 PM GMT+03:00, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
>>>
>>> This is being misrepresented (and >dangerously so, IMHO)
>>
>> That's an overstatement IMHO.
>>
>>> as a SAML issue
>>> because it gives people the idea that the middleware is enough to
>>> prevent this kind of problem.
>>
>> It's not claimed that the middleware would/should solve the issue. The write up is addressed to a general security aware audience, not to saml experts, and as though some things are simplified.
> 
> I think the point is that the issue is not a SAML issue per se, yet
> the article spends most of its time discussing the SAML protocol,
> therefore implying (to the casual reader at least) that SAML is at

Point taken. The reason to discuss SAML in the article, was that in my
mind if someone doesn't get this first, the rest of the article does not
make sense.

> fault. In fact, OIDC clients are susceptible to this attack if they
> narrowly focus on the 'sub' claim but fail to check the issuer. So the
> problem is much more general than what might otherwise be perceived.
> 
> Tom
> 

-- 
------------------------------------------------------------------
Ioannis Kakavas - ikakavas at grnet.gr
Identity and Security Engineer
GRNET Network Operations Centre
Greek Research & Technology Network - http://www.grnet.gr
56, Mesogion Av., Ampelokipi, 11527 Athens, Greece
Office: +30 2107474255

PGP Fingerprint: A5AA FB5E 740A 603B FAB1 9920 D70F 0CD5 9DE3 C262
------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160428/b46d0b81/attachment.sig>