Hacker News new | ask | show | jobs
by bytelines 1546 days ago
> This is an application built with least privilege in mind

Uh huh, makes sense

> Named SuperUser

Uhh...

It lists all the operations that it can't do, but not what it can do. Can they download a private SAML certificate? Can they impersonate a user? Can they configure SSO and MFA settings? Can they download audit logs?
1 comments
tgsovlerkhgsel 1546 days ago
> Can they download a private SAML certificate?

Oh, that's a good one. Definitely something that the software should not allow, because I can't see a legitimate reason for this (allowing to download the certificate is fine, but not the key).

link
bostik 1546 days ago
This was my topmost question too. The report very cleanly omits any and all mentions of SAML signing certificates.

Solar Winds was the first known incident to escalate to so called "Golden SAML" attack. If the support staff had access to signing certificates, then that would open the door to a wide-scale exploitation of Okta's clients.

A shower of Golden SAMLs, if you like.

link
zaroth 1546 days ago
Caution to fellow readers: Put down your drink before reading the last line of this post.
link