- The victim has an account on the SP and uses his Identifier, e.g. https://google.com?id=victim, for authentication.
- The Identifier of the victim is controlled by a trusted IdP, e.g. Google.
- The attacker knows, which Identifier the victim is using on the SP.
- The attacker deploys his malicious IdP on a public accessible domain, e.g. http://mIdP.com. By “malicious”, we mean that the IdP issues tokens containing Identifiers, which are controlled by other IdPs, e.g. Google, Yahoo, Wordpress.
- The SP discovers the malicious IdP and establishes a shared key (with the malicious IdP) during the association phase.
- The SP redirects the browser to the malicious IdP.
- The malicious IdP generates an authentication token containing the victims Identifier – https://google.com?id=victim
- The token are sent to the target SP and the attacker gets access to victim's account.
Please consider the fact that no communication with "Google User 1" or "Google IdP" is needed to execute the attack.
Authors of this PostVladislav Mladenov
Christian Mainka (@CheariX)