Google SAML Single Sign on vulnerability

Credit: Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuellar, Llanos Tobarra 

Class: Impersonation
Remote: Yes
Risk: HIGH

Product: Google Apps - Single Sign-On service 
Version: version before 28/08/2008
Vendor: http://www.google.com/apps/
Patch: version after 28/08/2008, http://code.google.com/apis/apps/libraries_and_samples.html#sso

Google's Single Sign-On service allows partner companies to provide
their employees and users a direct and transparent access to popular
web-based Google Apps like Gmail or Google Calendar.

+] Vulnerability Description
   
The attack allowed a dishonest service provider to access Google Apps
under the identity of an unaware user.

+] Attack Proof of Concept

Identity providers authenticate users and pass authentication
assertions to service providers who grant access to restricted
services/resources (e.g., Gmail in Google Apps). In the SAML-based
Single Sign on (SSO) implementation, the authentication response did
not include the identifier of the authentication request nor the
identity of the service provider. This could have allowed a malicious
service provider to impersonate a user at Google Apps by simply
replaying to Google the authentication response it received for the
user. More details can be found here:
http://www.ai-lab.it/armando/GoogleSSOVulnerability.html

+] Patch
Google has been contacted on May 25, 2008. 
Google released the patch and informed its customers on July 02, 2008.

The vulnerability has been discovered in the context of the EU FP7
project AVANTSSAR (www.avantssar.eu) by Prof. Armando and Roberto
Carbone (U. of Genova), Dr. Luca Compagna (SAP Research, France),
Dr. Jorge Cuellar (Siemens AG, Germany), and Llanos Tobarra (U. of
Castilla-La Mancha, Spain).