WithSecure personnel discovered a problem with Mend.io’s SAML login option.
Today, WithSecure (formerly known as F-Secure Business) published a security advisory warning organisations of a vulnerability the company discovered in Mend.io’s application security platform.
Mend.io’s platform helps software developers identify and remediate vulnerabilities and security issues found in code libraries. According to Mend.io’s website, it has more than 1 000 customers, including 25% of the Fortune 100.
WithSecure personnel discovered a problem with Mend.io’s security assertion markup language (SAML) login option, which is a type of single sign-on authentication that allows users to access a variety of online services with a single set of login credentials.
The vulnerability discovered by WithSecure could have allowed a Mend.io customer, acting as an attacker, to use the vulnerable SAML implementation to access the data of a subset of other Mend.io customers in the same software as a service (SaaS) environment by guessing or otherwise obtaining a valid e-mail address from a targeted organisation. Mend.io has numerous SaaS environments, with many customers in isolated environments.
While the data contained in Mend.io accounts would vary between companies, its use as an application security platform makes it likely that attackers could use the information to plan targeted attacks against vulnerable pieces of software they could identify from Mend.io’s data.
“Basically, the single sign-on service would accept any legitimate customer’s e-mail address without any additional authentication. Attackers would only need to get a Mend.io account in a specific SaaS environment, configure it to accept the single sign-on authentication method, and then use an e-mail address for the target company’s account – steps which are all doable by today's cyber criminals,” said WithSecure Chief Architect Ari Inki.
WithSecure contacted Mend.io with its concerns in May 2023. Mend.io responded promptly to confirm WithSecure’s findings, and the two companies began working on a fix, which has now been implemented into the platform.
“Securing our customers’ data is vital to our organisation and we’re happy that WithSecure was proactive in helping us identify and fix this problem. By working together, we were able to move quickly to ensure the issue was fixed before it was used by any threat actors to attack our customers,” said Robert Nilsson, Executive Vice-President of Customer Experience at Mend.io.
More information on the vulnerability is available on WithSecure Labs: https://labs.withsecure.com/advisories/mend-cross-tenant-access.
