Cloud-based communications platform Slack finished patching a severe security hole Thursday affecting portions of its platform that used the Security Assertion Markup Language (SAML) standard for user authentication.
The flawed implementation of SAML by Slack impacted mostly enterprise customers who are its primary users as a means of authentication to access Slack accounts.
SAML is an open standard that defines how a company offers authentication and authorization for its services. It is the framework used to exchange data between an identity provider and a service provider in the context of accessing a user account. It’s also used for single sign-on implementations across multiple systems, platforms and other resources.
Researcher Antonio Sanso, a senior software engineer at Adobe, discovered the vulnerability in February. Slack confirmed the bug the following month, awarding him $3,000 for the discovery through its bug bounty program. According to Slack, the bug has been patched on affected systems.
“The vulnerability I found is part of the class known as ‘confused deputy problem,’” Sanso wrote on his personal blog outlining his discovery.
A confused deputy problem is type of privilege escalation vulnerability and describes a computer program that has permissions given to it for one thing, but misuses its authority and applies those permissions to something else.
In the case of Sanso, he discovered instances of a Slack SAML username/password authentication allowing past users of Slack (with an expired assertion) to regain access to a Slack account they are no longer permitted to access. An assertion is the XML rule that the service provider uses to make access-control decisions.
In another scenario, Sanso discovered an expired assertion could be used for more nefarious applications.
“To be more concrete I used an old and expired (yes the Assertion was also expired!!) Github’s Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one.”
Slack declined to answer questions for this story only stating that the issue has been fully patch as of Thursday.