SSO Exploits: Ping One + PingFed Push

Exploit Type: AitM, Session Hijacking
Login Factors: Password, Push

What happened?

An adversary sets up a phishing proxy server that looks and behaves exactly like an SSO login page. This proxy will capture all information coming in and out of the server.

A victim is phished into visiting the malicious site and enters their username and password, and successfully completes the Push prompt.

Because the victim authenticated through the phishing proxy, the adversary steals the username, password, and also the session cookie for the application that was authenticated into. The adversary can use the stolen credentials to perform malicious actions such as an account takeover, data theft, or further lateral movement within the network.

Why is this an exploit?

If a victim is lured into visiting a phishing site, then Push as a second factor won't offer any additional defense. The login request is accepted by the real authentication server from the adversary's phishing server, and the login experience is the exact same for the end user. The end user is still relying and trusting that their experience is legitimate.

Neither the victim nor the system administrator is notified as stolen, but legitimate, credentials are used to access the system.

How do you prevent this from happening?

Use phish-resistant MFA with origin validation. The authentication server should accept requests coming only from legitimate domains, and not malicious domains. Even if a user falls for phishing, your authentication service should prevent any and all unsafe access.

Also, consider removing Push from your authentication protocol as it is known to be a phishable login factor.

Check out how Beyond Identity's phish-resistant MFA prevents this exploit from happening.

Experience MFA done right

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.