On mySimon: Robert Rodriguez Studded-Band Skirt
BNET Business Network:
BNET
TechRepublic
ZDNet

September 10th, 2008

Google closes hole in Single Sign-On service

Posted by Ryan Naraine @ 9:23 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Google, Passwords, Pen testing, Vulnerability research, Web 2.0

Tags: Google Inc., Single Sign-on, Authentication/Encryption, Security, Ryan Naraine

Google plugs Single Sign-On HoleGoogle has fixed an implementation flaw in the single sign-on service that powers Google Apps follow a warning from researchers that remote attackers can exploit a hole to access Google accounts.

The vulnerability, described in this white paper (.pdf), affects the SAML Single Sign-On Service for Google Apps.

This US-CERT notice describes the issue:

A malicious service provider might have been able to access a user’s Google Account or other services offered by different identity providers.

Google has addressed this issue by changing the behavior of their SSO implemenation. Administrators and developers were required to update their identity provider to provide a valid recipient field in their assertions.

To exploit this vulnerability, an attacker would have to convince the user to login to their site.* Hat tip: Heise Security.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 4 Talkback(s)
ROTFLMAO...
I guess you missed the part that said "an attacker
would have to convince the user to login to their
site". So in other words, this is a vulnerability if
you are stupid. I guess that does include you so I
can see why you would think it was a big deal.... (Read the rest)
Posted by: jasonp@... Posted on: 09/11/08 You are currently: a Guest | | Terms of Use
Google closes hole in Single Sign-On service  Loverock Davidson | 09/10/08
Sorta wonder what you play with all day.  B.O.F.H. | 09/10/08
Sad  bbqbeef | 09/11/08
ROTFLMAO...  jasonp@... | 09/11/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline