Cross-IdP impersonation bypasses SSO protections
Cross-IdP impersonation – a technique that enables attackers to hijack the single sign-on (SSO) process to gain unauthorized access to downstream software-as-a-service (SaaS) applications without compromising a company’s primary identity provider (IdP) – is expected to gain popularity with attackers, according to Push Security researchers.
What is cross-IdP impersonation?
Cross-IdP impersonation exploits a flaw in SSO configurations by allowing attackers to create fraudulent IdP accounts matching an organization’s domain, which are then used to access downstream apps via SSO.
Cross-IdP impersonation attack path (Source: Push Security)
Two recent cases have highlighted the impact of Cross-IdP impersonation.
In one instance, a 15-year-old researcher abused a flaw in Zendesk to create fraudulent Apple SSO accounts linked to hundreds of legitimate company domains. Using this newly created IdP account, the researcher could infiltrate connected apps, including Slack, exposing potentially sensitive information across multiple business applications.
In another example, a now-resolved Google domain verification flaw previously enabled newly created Google Workspace accounts to authenticate via SSO without requiring domain verification, which could then be used to access login to downstream applications usually accessed with a different SSO provider.
“This attack method bypasses traditional security safeguards that protect main IdP accounts. It doesn’t matter how locked down your primary IdP account is if attackers can simply create a new one for your domain,” said Dan Green, security researcher at Push Security.
“There are two key parts that make this a repeatable technique: That it’s easy to add a new IdP and link it to your domain/email (and there actually a lot of IdPs to choose from), and that many apps do not require re-authentication upon adding a new login method. The attack wouldn’t be possible without both of these components, but the second is probably the most impactful,” Green told Help Net Security.
“In the examples we’ve seen in the wild, these attacks required no user interaction by exploiting configuration weaknesses in IdP and SaaS services. But the same result could be achieved through convincing social engineering scams, without needing to phish MFA factors or lure users to malicious webpages.”
Security tests on the most popular applications used by Push customers revealed that 3 in 5 of the apps tested do not require re-verification by default when adding a new SSO login method, meaning that an attacker can log in with a newly registered IdP and take over the accounts on downstream applications.
Mitigation and security recommendations
Push Security recommends that organizations take proactive steps to defend against cross-IdP impersonation:
- Set email alerts: Implement automated email alerts for new IdP activation emails sent to employees, providing visibility into unauthorized IdP connections to company domains.
- Restrict account conversion: Where configurable, prevent the conversion of personal accounts to corporate accounts within primary IdP platforms.
- Enforce re-verification protocols: Where configurable, require downstream applications to enforce re-verification when adding new SSO methods. Requiring login with the original method, rather than email approval, is a more secure approach.
Organizations are urged to monitor and tighten SaaS and IdP configurations and prepare to detect and respond to unauthorized SSO methods being used.
Cross-IdP impersonation could be mitigated with a unified approach to SSO verification by SaaS providers by ensuring re-verification upon a new method being added, but companies must act now to protect their data, accounts, and applications.