search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Google SAML Single Sign on vulnerability

Vulnerability Note VU#612636

Original Release Date: 2008-09-02 | Last Revised: 2008-09-25

Overview

The SAML Single Sign-On (SSO) Service for Google Apps contained a vulnerability that could have allowed an attacker to gain access to a user's Google account.

Description

The Security Assertion Markup Language (SAML) is a standard for transmitting authentication data between two or more security domains. In SAML language, XML security packets are called assertions. Identity providers pass assertions to service providers who allow the requests. In the Google Single Sign on (SSO) implementation, the authentication response did not include the identifier of the authentication request or the identity of the recipient. This may allow a malicious service provider to impersonate a user at other service providers.

More technical information about this issue is available in the Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps whitepaper which is available here: http://www.ai-lab.it/armando/GoogleSSOVulnerability.html

Note that to exploit this vulnerability, the attacker would have to convince the user to login to their site.

Impact

A malicious service provider might have been able to access a user's Google Account or other services offered by different identity providers.

Solution

Google has addressed this issue by changing the behavior of their SSO implemenation. Administrators and developers were required to update their identity provider to provide a valid recipient field in their assertions.


Do not log into untrusted sites

To mitigate future vulnerabilities, users should use caution when providing their credentials to log into Google services via third party service providers.

Vendor Information

612636
 
Expand all

Google Affected

Notified:  June 18, 2008 Updated: September 02, 2008

Status

Affected

Vendor Statement

Google was notified of this issue a few months ago. Once notified, work proceeded swiftly to provide a safe solution for customers. Google notified customers that could be vulnerable directly, and provided clear instructions on how to protect their systems. There have been no reports of this vulnerability being exploited.

Google would like to thank Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuellar, and Llanos Tobarra Abad with the AVANTSSAR project (http://www.avantssar.eu) for responsibly disclosing this issue and providing technical assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Alessandro Armando and the AVANTSSAR Project for reporting this issue and to Google for providing technical information and feedback

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 2.10
Date Public: 2008-06-13
Date First Published: 2008-09-02
Date Last Updated: 2008-09-25 18:47 UTC
Document Revision: 23

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis