Security · 3h ago
SSO Bug Let Attackers Hijack Accounts via Email Claim
A bug in Authagonal's SSO integration allowed attackers to take over any account by asserting any email in a SAML or OIDC assertion. The flaw was using email as the join key, which is forgeable when the attacker controls their own identity provider. The fix was to use the (provider, sub) pair instead.
Meridian48 take
This is a textbook example of why email should never be a primary key in federated auth—a lesson many developers learn the hard way.
Read the full reporting
An identity provider told us who you were, and we believed it →
DEV Community
ssoaccount-takeover