Posts tagged 'Responsible Disclosure'

Shared auEduPersonSharedToken (user ID) for all University of Notre Dame Australia users across Australian Access Federation (AAF) Resources

Outline: for an undisclosed period of time until 28 June 2019, all users from The University of Notre Dame Australia (ND) accessing federated, Shibboleth-secured SSO resources provided through the Australian Access Federation (AAF) were issued identical auEduPersonSharedToken values. This identifier is frequently used as a unique user identifier (username); thus for systems where this was the case, all users from ND were considered the same person, causing permission assigned to one user to effectively apply to all members of the ND community, breaking authentication and risking information exposure to sensitive resources. The level of impact on a given system depends …