In this Post, we will describe a vulnerability in Drupal's OpenID SSO module that was shipped with Drupal Core prior Versions 6.30 and 7.26. The attack allows an attacker to login as an arbitrary user (even as an Admin), but does not require any interaction with the victim. The vulnerability was reported to the Drupal Security Team and they fixed it at the beginning of 2014 (SA-CORE-2014-001).
To detect the vulnerability, we developed a novel SSO attack technique called Key Confusion. We discovered the attack by setting up our own IdP for analyzing and attacking SSO, see Part 1 of our SSO attack series.
Key Confusion Attack on SSO
In Single Sign-On protocols like OpenID, OpenID Connect, SAML or BrowserID, the SSO token that is transferred from the IdP to the SP via the user's browser is cryptographically protected. In the case of OpenID, a HMAC is used.
Because decentralized SSO consists of multiple IdPs, the question that raises is:
How does the SP pick the right key to verify the token?
The basic idea of the Key Confusion attack is to let the SP use a key to verify the token, which SP believes to belong to honest Party (e.g. Google, Yahoo), while in fact, this key belongs to the attacker. The attacker has therfore to setup his own IdP and we refer to it as “malicious IdP”.
The following figure depicts the concept: