SS-Oh No!

[Music] [Applause] [Music] hi i think i think the most like effective like strategies to shame all those walking outside but i think it is too late for that so sucks for me um good almost lunch time everyone uh here at b-side instead of eve and welcome to my talk ss oh no yeah yeah you can clap hands yeah yeah in this talk today you are going to see all kinds of epic fails and implementations of sso pages and mostly learn what not to do if you have them if you implement them a lot of silly stuff which you should actually avoid so that's me that's a very quick talk here it's 10 minutes so you can postpone lunch a bit i'm not going to speak about myself if you want scan the qr code it is benign pinky swear it's just like my linkedin profile and you can learn about me and yeah that's chewbacca and he's in every one of my slides or sorry presentations single sign-on before we speak about the fails let's speak about sso if in the past like decades ago you need all kinds of passwords for different apps and usernames it starts to consolidate you have like a few years later you have active directory on-premise maybe and you all use it in order to log into different applications but in the last few years you have cloud you have all kinds of people working from home remotely using vpn you can't sustainably use all these shenanigans you need a single identity provider a single authority single provider of tickets to any ride in the theme park that anyone will know and respect and that's basically sso i'm not going to go into the technicalities behind it it's not that interesting for this scope of talk and we're here not to speak about like sso per se but about the fails but first how it all came to be well basically because i'm as lazy as chewbacca which is also a star of the slide i use sso every day i log into a service i need to type in azure for example my full username at my employer's name domain my full name is long as you all know right now so it is kind of i try to evade that so i realized that i can type blah at employer name and still being redirected it's not a bug it's a feature the service is unaware of the actual users used by the sso provider it makes sense to some extent and then was the classic what if eureka moment of every one of these talks what if i instead of employer name.com i put other domain it's it will still work like will it redirect me to a different sso page of a different company which i have no affiliation with you won't be surprised that the answer is yes and it was like more of a welcome to the jungle moment than what if moment in some sense because like what came up next is i i've seen so many different classes of misimplementations that said well it is worth a talk maybe a quick talk but a talk and those classes are as follows exposing password reset functionality in an ssl page because yeah it makes a lot of sense why shouldn't you be able to reset users passwords from the internet disclosing partial or not partial email and phone number information listing in hundreds and hundreds of internal assets and providing an onboarding guide for anyone who wants to join your organization maybe configure a vpn device out there in the internet in an sso login page and let's go to the fun examples because that's like the fun part the the face palm part of their talk that was the the first portal i've seen and a change password button so i clicked it and i almost immediately was shocked that i i got like a password reset menu and it even explained me what's the format of the active directory internal username so all i need to do is go to the to linkedin and and find one of the like employees of the company to check it out use the format they explained and yeah i was able to reset the password you if if i had their mobile device or email account but on the other hand they did provide me the email account and almost not partial mobile number and you can cross-reference it with a lot of leaks and it is quite easy to get the full phone number and remember lapses maybe from a few months back they did thing called seam swapping which basically means that they hijack the phone number of their target and it is not that trivial but it is definitely a thing which is possible and if you have the phone number and the username and the capability to reset a password from anywhere on elf with connection to the internet it is a serious threat and adding insult to injury they misimplemented the capture they had the different errors for a capture username which are incorrect and it was applied in the wrong order like the test for what's wrong so yeah so okay so i found all kinds of classes and i in my essence i am into austin and i found the google doc really nice google door google docs for those who don't know are google hack hacks kind of in a search engine i found something which is not this of course which allowed me to find a lot of like an entire class of other issues we'll see in a second using this doc i was able to find over 3 000 websites who looked as this you were able to even log in to the entire scope of whatever this company provides or you were able to login into specific assets using the sso service but the list of assets was exposed in the internet it had hundreds in some cases of assets some named our very secret top crypto project whatever others were internal like databases exposed they weren't quite sure it will be um this public nevertheless it's just like you know an sap database um some kind of an internal website which was exposed for some odd reason the very name of the asset was the domain you could have accessed from the internet and last but not least this login page i'm a chatty person so i've seen that chat with it support button and i clicked it immediately but yeah i don't really want to chat with it it's kind of embarrassing i don't know how effective it will be so i just like went to the i.t setup guide that's strange why do you have an id setup guide in sso page and i found this way the guide to onboard a new employee to the organization including instructions about how to configure a vpn device how to configure all kinds of internal software things which shouldn't be out there in the internet it makes my life as a potential attacker way easier and that's i think like the the bottom line of everything here today remember that sso login pages are public by default there's a lot of information being exposed there which shouldn't be it should look like this and you you do might kind of find some sense in the fact that you should balance between security and operational costs you do need to on board new users for example however while that's true you don't need to do it recklessly for example you can install a certificate on the devices which should communicate with this portal mutual tls known as um [Music] and this will save a lot of like the risk of you know being capable to access what you've seen here today from the internet or in the case of exposing hundreds of assets by name out to the internet you can expose the same list but for people who already did some kind of a form of identification in front of the organization it shouldn't be pre off it makes no sense to me and with this i think we can conclude this very quick talk i hope you enjoyed if you want to speak more about it hear my contact details and that's it thank you [Music] [Applause] [Music] [Applause] you