科技回声

This is a completely unacceptable vulnerability in any software purporting itself to be an identity provider. OP, name and shame this provider. I do not want to find myself using it.

Nice find! As for the provider, since they missed this extremely basic step (don't trust the client!!) I would expect they have <i>many</i> more undiscovered vulnerabilities.

This is honestly the kind of mistake I'd expect a child to make. It shows a complete lack of understanding of how the web works. And this was put into production by a so-called security company? I think a name and shame is appropriate here. This isn't excusable, it's just straight up incompetence.

I wish the article provided the name of the vendor!

You did not hack anything and that is far from being a security vulnerability, on the side of the SSO.

Never trust the (web) client, sanitize/validate the shit out of everything, and stop using JavaScript...

This is a completely unacceptable vulnerability in any software purporting itself to be an identity provider. OP, name and shame this provider. I do not want to find myself using it.

Nice find! As for the provider, since they missed this extremely basic step (don't trust the client!!) I would expect they have <i>many</i> more undiscovered vulnerabilities.

I wish the article provided the name of the vendor!

You did not hack anything and that is far from being a security vulnerability, on the side of the SSO.

Never trust the (web) client, sanitize/validate the shit out of everything, and stop using JavaScript...

I hacked my company's SSO provider

6 条评论

I hacked my company's SSO provider

6 条评论