Business logic vulnerabilitiy on the SSO between portal and the community

  • 22 September 2023
  • 4 replies
  • 680 views

Badge

First of all, love the new Lacework community. Thank you for building it and the invitation.

 

In my opinion, there is a security flaw in the current implementation of Portal SSO when it interacts with the community.

 

Currently, when the user login to the community page, the user been granted the whole access to the portal page https://portal.lacework.com/app/UserHome

 

 

The logout functionality appears to have a flaw as it allows users to easily log back in without entering any username or password credentials. This poses a security risk and needs to be addressed.

Moreover, an effective example of Single Sign-On implementation can be seen with Okta and Jira. In this case, users are unable to access Okta through the Jira login, ensuring a more secure authentication process.

 

Since the Lackwork portal and/or community page is perpetually logged in, an attacker has the potential to manipulate any settings within the system(e.g. XSS or phishing). This poses a significant security risk as unauthorized individuals could exploit this vulnerability to make unauthorized changes or access sensitive information.

It is evident that there is a business logic vulnerability that needs to be resolved.

 

Agent

N/A

Platform

Using Lacework/Operationalizing

Cloud

N/A


4 replies

Badge

Hi @I.H.,

First of all, thank you for your post and bringing this to our attention! We have gone ahead and updated our login/logout behavior to use a single log out. This means when you log out of community you will be logged out of your SSO account and be forced to sign back in to access community or Okta again. 

Please let me know if you have any additional concerns. And thanks again for helping make this community better and more secure!

Katie Borzone

Badge

Hi @katherine.borzone,

 

Thank you for the quick reactions from you and the team. Can I get the early adopter badge and Lacework swag? Well, my daughters would love the Lacework version of Barbie if that’s not too much to ask. 😄 

 

Kind Regards,

Alvin

Userlevel 3
Badge

Hi @katherine.borzone,

 

Thank you for the quick reactions from you and the team. Can I get the early adopter badge and Lacework swag? Well, my daughters would love the Lacework version of Barbie if that’s not too much to ask. 😄 

 

Kind Regards,

Alvin


I can arra​​​​​​​nge this.

Badge

Thank you, @Grant Martin. I’ll DM you.

Reply