How I hacked my company's SSO provider

I never thought I'd stumble across a previously-undiscovered vulnerability, much less one in security software. I love reading stories about how people find and report bugs, and how the companies react (preferably thankfully!). I also admire the deep analytical skills required to deconstruct exploitable software, because I would give up long before some of these geniuses. 

But yet, I have my own story! One of those most important qualities of testing software is just being curious and doing things that make others ask, "Why would you ever even think of trying that?" Because users are crazy, that's why.

Single Sign On (SSO) - Login once, access everything

Once upon an SSO engineering career, I was configuring a self-service portal that allowed our users (internal employees) to update some personal information for their account. Our vendor provided a SaaS portal with a form kinda like this:

The email field was uneditable on purpose to prevent users from changing the email to anything besides the company-owned email address. There's a configuration option in the tool explicitly to prevent that. But my devious little self thought it would be fun to Right-click > Inspect and see what happens if I changed it. Why did I do this? To see if I could! 

And it worked! I changed it to my personal email address, and that became my Official SSO Login Email for my work accounts. Fortunately, this all occurred in a non-prod environment (for us, not the vendor), but it demonstrably showed no backend validation for this input field. How could a bad guy actually exploit this? Not easily, but social engineering happens even to the best SSO providers.

Note: my particular story occured years before that incident, and with a different vendor. 

The next part is thankfully anticlimactic: I put together an email with step-by-step reproduction instructions and gave it my vendor's Customer Success Manager. Within a couple weeks, the CSM emailed me back and said it was fixed. Honestly, an A+ response. No bug bounty unfortunately, but that's not why we do it. We do it for the clout to make the internet a safer place. 

I know "futzing around with browser dev tools" isn't as cool as decompiling software and running bytecode-level analysis, but I'm honestly thankful to have contributed in a small way to making security software more secure.