LONDON--(BUSINESS WIRE)--Security researchers at Push Security, a pioneer in identity threat detection and response (ITDR), have identified a new technique used by attackers known as "Cross-IdP Impersonation," that enables attackers to hijack the single sign-on (SSO) process to gain unauthorized access to downstream applications without compromising a company's primary identity provider (IdP). Recent high-profile vulnerabilities, including ones involving Zendesk and Google, demonstrate the increasing risk this technique poses for organizations relying on SSO for secure access to software-as-a-service (SaaS) apps.
Cross-IdP impersonation exploits a flaw in SSO configurations by allowing attackers to create fraudulent IdP accounts matching an organization’s domain, which are then used to access downstream apps via SSO. This tactic enables unauthorized access to various downstream applications, bypassing even the most secure primary IdP protections.
Notable Examples of Cross-IdP Impersonation
Two recent cases have highlighted the impact of Cross-IdP impersonation. In one instance, a 15-year-old researcher abused a flaw in Zendesk to create fraudulent Apple SSO accounts linked to hundreds of legitimate company domains. Using this newly created IdP account, the researcher could infiltrate connected apps, including Slack, exposing potentially sensitive information across multiple business applications.
In another example, a now-resolved Google domain verification flaw previously enabled newly created Google Workspace accounts to authenticate via SSO without requiring domain verification, which could then be used to access login to downstream applications usually accessed with a different SSO provider.
Security Implications and Attack Surface
“Cross-IdP impersonation could be likened to ghost logins on steroids,” said Dan Green, security researcher at Push Security. “This attack method bypasses traditional security safeguards that protect main IdP accounts. It doesn’t matter how locked down your primary IdP account is if attackers can simply create a new one for your domain.”
“In the examples we’ve seen in the wild, these attacks required no user interaction by exploiting configuration weaknesses in IdP and SaaS services. But the same result could be achieved through convincing social engineering scams, without needing to phish MFA factors or lure users to malicious webpages,” he continued.
Security tests on the most popular applications used by Push customers revealed that 3 in 5 of the apps tested do not require re-verification by default when adding a new SSO login method, meaning that an attacker can log in with a newly registered IdP and take over the accounts on downstream applications.
Mitigation and Security Recommendations
Push Security recommends that organizations take proactive steps to defend against Cross-IdP impersonation:
- Set Email Alerts: Implement automated email alerts for new IdP activation emails sent to employees, providing visibility into unauthorized IdP connections to company domains.
- Restrict Account Conversion: Where configurable, prevent the conversion of personal accounts to corporate accounts within primary IdP platforms.
- Enforce Re-Verification Protocols: Where configurable, require downstream applications to enforce re-verification when adding new SSO methods. Requiring login with the original method, rather than email approval, is a more secure approach.
A Growing Threat Landscape
With the success of recent attacks, both attackers and security researchers are expected to focus increasingly on Cross-IdP impersonation techniques.
“As applications typically integrate with several IdPs, the inconsistencies in authentication are creating exploitable gaps in SaaS security across applications,” said Green.
Organizations are urged to monitor and tighten SaaS and IdP configurations and prepare to detect and respond to unauthorized SSO methods being used.
Cross-IdP impersonation could be mitigated with a unified approach to SSO verification by SaaS providers by ensuring re-verification upon a new method being added, but companies must act now to protect their data, accounts, and applications.
Push Security has updated its popular SaaS attack matrix resource, used by security teams to simulate and defend against SaaS and identity attacks, and has provided more details on this cross-IdP impersonation trend on the Push Security blog: https://pushsecurity.com/blog/cross-idp-impersonation
About Push Security
Push Security recognizes that identities sprawled across the internet are now the primary attack surface and the route of least resistance for attackers. Push helps security operations teams to detect and stop attacks before user accounts can be compromised with its browser-based identity threat detection and response (ITDR) platform designed to detect attack techniques used earlier in the kill chain such as phishing, AitM/BitM toolkits, credential stuffing, session hijacking, and more. Push Security was founded by former red team members skilled in offensive security and security operations and is backed by Decibel, Google Ventures and other notable angel investors. For more information, visit https://pushsecurity.com or follow @pushsecurity.
