Most active commenters
  • tsimionescu(5)

←back to thread

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

(github.blog)
312 points campuscodi | 33 comments | 15 Mar 25 19:06 UTC | HN request time: 0.67s | source | bottom
Show context
asmor ◴[15 Mar 25 20:50 UTC] No.43375068[source]
GitHub's SAML implementation is useless. The idea is that you can bring your own account into an enterprise, and that sort of works on the site itself, but it does not prevent apps where you log in with GitHub from reading your organization membership once you have authorized an app on the organization level (and if you didn't, it hides the membership from oauth tokens, so it has this capability!).

A SAML session is only required if said app fetches data via a token obtained from that user - and in my glance around, this was almost never the case - SAST tools almost always use app instance tokens and are happy to show anyone with a GitHub account in your organization your code. Tailscale fixed this when I pointed it out, Sonarcloud told me to please don't tell anyone and GitHub took a few weeks to say this is totally expected behavior - when no vendor I told did, and their docs contradicted them.

I swear, reporting security bugs is a thankless endeavor, even if you just randomly stumble over them. I couldn't imagine doing this as a job.

replies(6): >>43375206 #>>43375506 #>>43375716 #>>43375938 #>>43377351 #>>43377358 #
1. eCa ◴[15 Mar 25 22:19 UTC] No.43375506[source]
> The idea is that you can bring your own account into an enterprise

The issues goes beyond authorization. I’ve had Github randomly once in a blue use my personal email address as the default when merging a work PR. If anyone asks, I advice against mixing personal and professional stuff in the same Github account (or anywhere).

replies(6): >>43375751 #>>43375789 #>>43375867 #>>43378299 #>>43378875 #>>43391280 #
2. PokestarFan ◴[15 Mar 25 23:07 UTC] No.43375751[source]
Why not just use the GitHub generated email address you get when you hide your email?
3. l72 ◴[15 Mar 25 23:13 UTC] No.43375789[source]
My company does not allow any employees to use their personal GitHub for work (or Facebook, instagram, or anything else) after running into issue when employees leave.
replies(1): >>43375911 #
4. nextts ◴[15 Mar 25 23:31 UTC] No.43375867[source]
Yeah someone said why the funny account name why not use your personal account and I thought "wat are you crazy". And that isn't because of SAML etc. just simple don't mix work and pleasure ethos! I don't use my personal email to send an email to a customer.
replies(2): >>43377083 #>>43379121 #
5. booi ◴[15 Mar 25 23:38 UTC] No.43375911[source]
Wouldn’t you just remove them from the org?
replies(1): >>43376044 #
6. onionisafruit ◴[16 Mar 25 00:11 UTC] No.43376044{3}[source]
They may decide to change their github login to <company_name>LIES, and suddenly that’s all over your old PRs and Issues. Including in public repos where customers go looking for help.
replies(1): >>43376296 #
7. TheDong ◴[16 Mar 25 01:20 UTC] No.43376296{4}[source]
That's even more true with a dedicated work github account than a mixed personal/work one; either way they can still login and edit the account name even if removed from the company org, and if it's not shared it doesn't burn their personal account too... right?

Is this speaking from experience?

replies(2): >>43376458 #>>43376464 #
8. ◴[16 Mar 25 02:01 UTC] No.43376458{5}[source]
9. wlesieutre ◴[16 Mar 25 02:02 UTC] No.43376464{5}[source]
With a dedicated work account the organization can always take over the account (via reset email if need be, since they own your work email account) and do whatever they want with it
replies(1): >>43376802 #
10. rendaw ◴[16 Mar 25 03:39 UTC] No.43376802{6}[source]
A dedicated work account _where you use your work email address_... that was the missing part throughout this thread.

But then if you do that you also lose all your open source work history, which is important from a hiring/resume perspective.

replies(3): >>43377011 #>>43377076 #>>43379051 #
11. cdogl ◴[16 Mar 25 04:56 UTC] No.43377011{7}[source]
One option for those so inclined is to cryptographically sign commits with a key that lists both work and personal email address (assuming your enterprise’s policy allows it). The employer retains control but you have a claim to credit for your work.
replies(1): >>43377181 #
12. connicpu ◴[16 Mar 25 05:26 UTC] No.43377076{7}[source]
If a spiteful ex-employer wants to scrub ex-employee authorship from the entire commit history in their public repos when someone leaves I don't think there's anything you could do to stop that either way, though it seems like it would be more trouble than it's worth and likely wouldn't scale. If they don't do that, assuming your old company email address still has your name in it I don't see why you'd lose credit for the work you did.
13. mjevans ◴[16 Mar 25 05:27 UTC] No.43377083[source]
Funny that, exactly why NOWHERE should consider a phone number any form of ID.
replies(1): >>43379755 #
14. tsimionescu ◴[16 Mar 25 06:04 UTC] No.43377181{8}[source]
If we're discussing companies willing to go to lengths to scrub you from their GitHub history, they can still replace all commits you've signed with new commits. You likely have no legal rights to that work, and git does allow you to rewrite history arbitrarily.
replies(2): >>43377693 #>>43378029 #
15. shiomiru ◴[16 Mar 25 08:49 UTC] No.43377693{9}[source]
> git does allow you to rewrite history arbitrarily.

Technically yes, but the price is too great - everybody who has cloned the repos will now have to nuke their local copies too.

replies(1): >>43379666 #
16. withinboredom ◴[16 Mar 25 10:41 UTC] No.43378029{9}[source]
It depends on the jurisdiction. In the US, copyright assignment is usually permanent. In the EU and Canada, you can claw back your rights to a degree and even revoke the usage altogether, if you manage to claw it back because they did "evil" things with it (moral rights).

In some cases (even in the US), if the employer does something that would be considered a "breach of contract", you can force them to remove all your code as well.

So, it would not be in the company's best interest to scrub their git history.

replies(1): >>43379657 #
17. whyever ◴[16 Mar 25 11:55 UTC] No.43378299[source]
Using more than one Github account violates their ToS though.
replies(1): >>43381150 #
18. MortyWaves ◴[16 Mar 25 13:24 UTC] No.43378875[source]
This is exactly why I’m so paranoid about account and device separation.

I don’t even trust Git profiles. I buy a new license for GitKraken at any job I go to, even if I could avoid it; to me the possibility of accidentally trying to commit to work GitHub with my personal GitHub or vice verse is not worth it.

It’s the same with Microsoft accounts and their infamously bad-tech-debt-caused spaghetti.

Like if you try login to Outlook on iOS and you get a threatening message to the effect of “your system administrator will be able to remotely control and wipe your entire device if you proceed”. If it’s even a possibility that an incompetent or malicious IT department wipes your personal device, then no thank you.

See also that HN thread where a father let his child use his laptop, where they signed into their Microsoft school account, and somehow his personal Microsoft account was merged into their school account and from what I could tell he was never able to fix it and the school IT department didn’t care.

replies(2): >>43379140 #>>43387096 #
19. OJFord ◴[16 Mar 25 13:43 UTC] No.43379051{7}[source]
And you could still just change it right, as long as you did so before the employer revoked your access via the work email address.
20. freeopinion ◴[16 Mar 25 13:56 UTC] No.43379121[source]
It seems to be very common to use a personal phone for work 2fa or lots of other workplace tasks. Employers seem mystified if you request a corporate device when you obviously already have your own. I even see this a little with personal vehicles.

The idea of separating work and personal seems to be becoming old-fashioned.

21. cyberpunk ◴[16 Mar 25 13:59 UTC] No.43379140[source]
Depends on the org I think now the controls are more fine grained. For example I have teams and outlook on my personal phone and the only thing they can do is delete the apps, taking a screenshot is blank, copy/paste doesn’t work etc.
replies(1): >>43380331 #
22. tsimionescu ◴[16 Mar 25 15:09 UTC] No.43379657{10}[source]
I think even in the EU and Canada, you don't have any copyright interest in work your perform as part of your employment. The copyright on the work you produce for your employer is entirely theirs, from the moment it is created.

Now, if you're a contractor performing work for a company, this may be quite different. But as an employee, I don't think you have any claim of authorship to the code you right as part of your job.

replies(1): >>43387292 #
23. tsimionescu ◴[16 Mar 25 15:11 UTC] No.43379666{10}[source]
Sure, but the same is true for unsigned commits as well, isn't it? Or can you modify the commit metadata without changing the commit hash in those cases?
replies(1): >>43381338 #
24. tsimionescu ◴[16 Mar 25 15:24 UTC] No.43379755{3}[source]
Can you elaborate on the connection you see here?
replies(1): >>43380075 #
25. mjevans ◴[16 Mar 25 16:05 UTC] No.43380075{4}[source]
Tying someone's identity to a thing they barely control and find it difficult to get more than one of.

Particularly something someone might reasonably need 3 or more different instances of. E.G. Personal SemiProfessional, Personal NSFW stuff, Work but they didn't give an X this service demands.

26. deergomoo ◴[16 Mar 25 16:44 UTC] No.43380331{3}[source]
MAM vs MDM. MAM is good when you want your developers to be reachable on Slack but they all (for good reason) refuse to install an MDM on a personal device—at least that seems to be how my employer feels.
27. asmor ◴[16 Mar 25 18:42 UTC] No.43381150[source]
You may notice the button with the two opposing arrows on top of the user menu. You should click on it.
28. shiomiru ◴[16 Mar 25 19:08 UTC] No.43381338{11}[source]
> Sure, but the same is true for unsigned commits as well, isn't it?

Yes, I think so. As I understand, GP's idea was to sign your commits proactively.

replies(1): >>43381713 #
29. tsimionescu ◴[16 Mar 25 19:57 UTC] No.43381713{12}[source]
My question was, is signing the commits really useful? Isn't it just as hard or easy to scrub you from the repo history regardless of whether the commits are signed or not?
30. soco ◴[17 Mar 25 10:55 UTC] No.43387096[source]
Not only on iOS, also Outlook on Android does the same. Ironically, Teams doesn't try the same trick, so if they have some emergency while I'm away, my folks know to only try sending me stuff in Teams, as Outlook will never be installed here.
31. withinboredom ◴[17 Mar 25 11:22 UTC] No.43387292{11}[source]
Look up "moral rights." You have some ability to revoke the usage of your work if it violates moral standards.
replies(1): >>43391342 #
32. TheNewsIsHere ◴[17 Mar 25 18:20 UTC] No.43391280[source]
GitHub is my current go-to example of an individual oriented application with business features shoehorned into it.

For awhile GitHub was rather unavoidably the only place in my company where there was no reliable line between personal and professional accounts/systems.

I moved us to Forgejo after trialing it against Github (and GitLab, and Gitea).

At a prior employer everyone just used their personal GitHub accounts for the business. Once it became a “capital-E-Enterprise” making promises about things like employee SSO, they quickly retreated to an on-premise platform (not GitHub EE).

33. TheNewsIsHere ◴[17 Mar 25 18:25 UTC] No.43391342{12}[source]
Some countries allow authors to transfer/assign or waive asserting their moral rights. Typically (and sensibly) this must be in writing.