TUESDAY, JULY 7, 2026 48° E  /  GLOBAL TECH · SUMMARISED SUBSCRIBE
AI, business, devices, policy — global tech, summarised every 30 minutes.
Security · 3h ago

SSO Bug Let Attackers Hijack Accounts via Email Claim

By Meridian48 News Desk · Summarised from DEV Community ·

A bug in Authagonal's SSO integration allowed attackers to take over any account by asserting any email in a SAML or OIDC assertion. The flaw was using email as the join key, which is forgeable when the attacker controls their own identity provider. The fix was to use the (provider, sub) pair instead.

Meridian48 take
This is a textbook example of why email should never be a primary key in federated auth—a lesson many developers learn the hard way.
Read the full reporting
An identity provider told us who you were, and we believed it →
DEV Community
ssoaccount-takeover
More security briefs
Go deeper on security
AllAIStartupsBusinessDevicesPolicySecurityDev ToolsPakistan