Q
Manage Learn to apply best practices and optimize your operations.

Confused deputy: How did the vulnerability affect Slack?

A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this 'confused deputy' problem was handled.

Security researchers found a major SAML vulnerability in Slack's implementation that led to what's called a confused...

deputy issue. How does the SAML vulnerability work, and what is the confused deputy problem?

A confused deputy isn't some type of disorganized law enforcement official; it's when an application has the permission to perform one thing and applies it to the permissions of something completely different. In this case, the confused deputy was within the security assertion markup language (SAML) implementation that's used for authentication, and it enabled misuse of the authorization.

A security researcher and senior software engineer at Adobe, Antonio Sanso, found the confused deputy issue while searching through sites using SAML. When making his way over to Slack, he was able to pass a SAML assertion that was expired, but that still gave him access to Slacker.

After performing more research on the issue, he also concluded that he was able to submit a SAML assertion that was not only expired, but that was not originally meant for Slack to begin with. He used an old and expired GitHub assertion to authenticate directly into Slack with the username of the old assertion -- this was never meant for Slack, but the confused deputy accepted this assertion and applied authentication to the application.

Sanso wrote on his blog: "To be more concrete I used an old and expired (yes the assertion was also expired!!) Github Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one."

With SAML authentication, there's a user, identity provider and service provider, but there's also the AudienceRestriction element that basically identifies the source or audience of the service provider for which the assertion was intended. With this SAML bypass attack, Sanso was able to access the account without following a proper authentication process.

Organizations like Slack rely on the white hat hacker community to defend against bugs similar to this SAML confused deputy vulnerability.

After notifying Slack through the company's HackerOne bug bounty submission, Antonio received a quick reply from Slack saying they went through the process of remediating and fixing the SAML vulnerability. In doing so, he was awarded $3,000 from Slack for finding and alerting them to the bug within their system.

Organizations like Slack rely on the white hat hacker community to defend against bugs similar to this SAML confused deputy vulnerability. Even with a mature security vulnerability management program in place, there will always be incidents that arise and need attention. By extending these tests to the information security community to poke and prod at applications, skilled people like Antonio can assist in increasing security posture. By adding another layer of testing to these applications, more vulnerabilities, such as confused deputy, will be found and remediated.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in January 2018

Dig Deeper on Data security strategies and governance

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does the SAML vulnerability and vulnerabilities like confused deputy impact your organization?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close