Home / vulnerabilities google-saml.txt
Posted on 09 September 2008
Source : packetstormsecurity.org Link
Google SAML Single Sign on vulnerability
Credit: Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuellar, Llanos Tobarra
Class: Impersonation
Remote: Yes
Risk: HIGH
Product: Google Apps - Single Sign-On service
Version: version before 28/08/2008
Vendor: http://www.google.com/apps/
Patch: version after 28/08/2008, http://code.google.com/apis/apps/libraries_and_samples.html#sso
Google's Single Sign-On service allows partner companies to provide
their employees and users a direct and transparent access to popular
web-based Google Apps like Gmail or Google Calendar.
+] Vulnerability Description
The attack allowed a dishonest service provider to access Google Apps
under the identity of an unaware user.
+] Attack Proof of Concept
Identity providers authenticate users and pass authentication
assertions to service providers who grant access to restricted
services/resources (e.g., Gmail in Google Apps). In the SAML-based
Single Sign on (SSO) implementation, the authentication response did
not include the identifier of the authentication request nor the
identity of the service provider. This could have allowed a malicious
service provider to impersonate a user at Google Apps by simply
replaying to Google the authentication response it received for the
user. More details can be found here:
http://www.ai-lab.it/armando/GoogleSSOVulnerability.html
+] Patch
Google has been contacted on May 25, 2008.
Google released the patch and informed its customers on July 02, 2008.
The vulnerability has been discovered in the context of the EU FP7
project AVANTSSAR (www.avantssar.eu) by Prof. Armando and Roberto
Carbone (U. of Genova), Dr. Luca Compagna (SAP Research, France),
Dr. Jorge Cuellar (Siemens AG, Germany), and Llanos Tobarra (U. of
Castilla-La Mancha, Spain).
