ra2 studio - Fotolia
Confused deputy: How did the vulnerability affect Slack?
A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this 'confused deputy' problem was handled.
Security researchers found a major SAML vulnerability in Slack's implementation that led to what's called a confused deputy issue. How does the SAML vulnerability work, and what is the confused deputy problem?
A confused deputy isn't some type of disorganized law enforcement official; it's when an application has the permission to perform one thing and applies it to the permissions of something completely different. In this case, the confused deputy was within the security assertion markup language (SAML) implementation that's used for authentication, and it enabled misuse of the authorization.
A security researcher and senior software engineer at Adobe, Antonio Sanso, found the confused deputy issue while searching through sites using SAML. When making his way over to Slack, he was able to pass a SAML assertion that was expired, but that still gave him access to Slacker.
After performing more research on the issue, he also concluded that he was able to submit a SAML assertion that was not only expired, but that was not originally meant for Slack to begin with. He used an old and expired GitHub assertion to authenticate directly into Slack with the username of the old assertion -- this was never meant for Slack, but the confused deputy accepted this assertion and applied authentication to the application.
Sanso wrote on his blog: "To be more concrete I used an old and expired (yes the assertion was also expired!!) Github Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one."
With SAML authentication, there's a user, identity provider and service provider, but there's also the AudienceRestriction element that basically identifies the source or audience of the service provider for which the assertion was intended. With this SAML bypass attack, Sanso was able to access the account without following a proper authentication process.
After notifying Slack through the company's HackerOne bug bounty submission, Antonio received a quick reply from Slack saying they went through the process of remediating and fixing the SAML vulnerability. In doing so, he was awarded $3,000 from Slack for finding and alerting them to the bug within their system.
Organizations like Slack rely on the white hat hacker community to defend against bugs similar to this SAML confused deputy vulnerability. Even with a mature security vulnerability management program in place, there will always be incidents that arise and need attention. By extending these tests to the information security community to poke and prod at applications, skilled people like Antonio can assist in increasing security posture. By adding another layer of testing to these applications, more vulnerabilities, such as confused deputy, will be found and remediated.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)