Vulnerability Note VU#612636
Google SAML Single Sign on vulnerability
The SAML Single Sign-On (SSO) Service for Google Apps contained a vulnerability that could have allowed an attacker to gain access to a user's Google account.
The Security Assertion Markup Language (SAML) is a standard for transmitting authentication data between two or more security domains. In SAML language, XML security packets are called assertions. Identity providers pass assertions to service providers who allow the requests. In the Google Single Sign on (SSO) implementation, the authentication response did not include the identifier of the authentication request or the identity of the recipient. This may allow a malicious service provider to impersonate a user at other service providers.
More technical information about this issue is available in the Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps whitepaper which is available here: http://www.ai-lab.it/armando/GoogleSSOVulnerability.html
A malicious service provider might have been able to access a user's Google Account or other services offered by different identity providers.
Google has addressed this issue by changing the behavior of their SSO implemenation. Administrators and developers were required to update their identity provider to provide a valid recipient field in their assertions.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Affected||18 Jun 2008||02 Sep 2008|
CVSS Metrics (Learn More)
Thanks to Alessandro Armando and the AVANTSSAR Project for reporting this issue and to Google for providing technical information and feedback
This document was written by Ryan Giobbi.
- CVE IDs: Unknown
- Date Public: 13 Jun 2008
- Date First Published: 02 Sep 2008
- Date Last Updated: 25 Sep 2008
- Severity Metric: 2.10
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.