top | item 30775314

(no title)

bytelines | 4 years ago

> This is an application built with least privilege in mind

Uh huh, makes sense

> Named SuperUser

Uhh...

It lists all the operations that it can't do, but not what it can do. Can they download a private SAML certificate? Can they impersonate a user? Can they configure SSO and MFA settings? Can they download audit logs?

discuss

tgsovlerkhgsel|4 years ago

> Can they download a private SAML certificate?

Oh, that's a good one. Definitely something that the software should not allow, because I can't see a legitimate reason for this (allowing to download the certificate is fine, but not the key).

bostik|4 years ago

This was my topmost question too. The report very cleanly omits any and all mentions of SAML signing certificates.

Solar Winds was the first known incident to escalate to so called "Golden SAML" attack. If the support staff had access to signing certificates, then that would open the door to a wide-scale exploitation of Okta's clients.

A shower of Golden SAMLs, if you like.