←back to thread

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials

(github.blog)
312 points campuscodi | 1 comments | 15 Mar 25 19:06 UTC | HN request time: 0.212s | source
Show context
asmor ◴[15 Mar 25 20:50 UTC] No.43375068[source]
GitHub's SAML implementation is useless. The idea is that you can bring your own account into an enterprise, and that sort of works on the site itself, but it does not prevent apps where you log in with GitHub from reading your organization membership once you have authorized an app on the organization level (and if you didn't, it hides the membership from oauth tokens, so it has this capability!).

A SAML session is only required if said app fetches data via a token obtained from that user - and in my glance around, this was almost never the case - SAST tools almost always use app instance tokens and are happy to show anyone with a GitHub account in your organization your code. Tailscale fixed this when I pointed it out, Sonarcloud told me to please don't tell anyone and GitHub took a few weeks to say this is totally expected behavior - when no vendor I told did, and their docs contradicted them.

I swear, reporting security bugs is a thankless endeavor, even if you just randomly stumble over them. I couldn't imagine doing this as a job.

replies(6): >>43375206 #>>43375506 #>>43375716 #>>43375938 #>>43377351 #>>43377358 #
eCa ◴[15 Mar 25 22:19 UTC] No.43375506[source]
> The idea is that you can bring your own account into an enterprise

The issues goes beyond authorization. I’ve had Github randomly once in a blue use my personal email address as the default when merging a work PR. If anyone asks, I advice against mixing personal and professional stuff in the same Github account (or anywhere).

replies(6): >>43375751 #>>43375789 #>>43375867 #>>43378299 #>>43378875 #>>43391280 #
MortyWaves ◴[16 Mar 25 13:24 UTC] No.43378875[source]
This is exactly why I’m so paranoid about account and device separation.

I don’t even trust Git profiles. I buy a new license for GitKraken at any job I go to, even if I could avoid it; to me the possibility of accidentally trying to commit to work GitHub with my personal GitHub or vice verse is not worth it.

It’s the same with Microsoft accounts and their infamously bad-tech-debt-caused spaghetti.

Like if you try login to Outlook on iOS and you get a threatening message to the effect of “your system administrator will be able to remotely control and wipe your entire device if you proceed”. If it’s even a possibility that an incompetent or malicious IT department wipes your personal device, then no thank you.

See also that HN thread where a father let his child use his laptop, where they signed into their Microsoft school account, and somehow his personal Microsoft account was merged into their school account and from what I could tell he was never able to fix it and the school IT department didn’t care.

replies(2): >>43379140 #>>43387096 #
1. soco ◴[17 Mar 25 10:55 UTC] No.43387096[source]
Not only on iOS, also Outlook on Android does the same. Ironically, Teams doesn't try the same trick, so if they have some emergency while I'm away, my folks know to only try sending me stuff in Teams, as Outlook will never be installed here.