WithSecure, Mend.io patch vulnerability in popular application security platform
September 2023 by WithSecure™
WithSecure™ (formerly known as F-Secure Business) published a security advisory warning organizations of a vulnerability the company discovered in Mend.io’s application security platform.
Mend.io’s platform helps software developers identify and remediate vulnerabilities and security issues found in code libraries. According to Mend.io’s website it has more than 1,000 customers, including 25 percent of the Fortune 100.
WithSecure™ personnel discovered a problem with Mend.io’s security assertion markup language (SAML) login option, which is a type of single sign-on authentication that allows users to access a variety of online services with a single set of login credentials.
The vulnerability discovered by WithSecure™ could have allowed a Mend.io customer, acting as an attacker, to use the vulnerable SAML implementation to access the data of a subset of other Mend.io customers in the same software-as-a-service (SaaS) environment by guessing or otherwise obtaining a valid email address from a targeted organization. Mend.io has numerous SaaS environments, with many customers in isolated environments.
While the data contained in Mend.io accounts would vary between companies, its use as an application security platform makes it likely that attackers could use the information to plan targeted attacks against vulnerable pieces of software they could identify from Mend.io’s data.
"Basically, the single sign-on service would accept any legitimate customer’s email address without any additional authentication. Attackers would only need to get a Mend.io account in a specific SaaS environment, configure it to accept the single sign-on authentication method, and then use an email address for the target company’s account—steps which are all doable by today’s cyber criminals," said WithSecure™ Chief Architect Ari Inki.
WithSecure™ contacted Mend.io with their concerns in May 2023. Mend.io responded promptly to confirm WithSecure’s findings, and the two companies began working on a fix, which has now been implemented into the platform.
"Securing our customers’ data is vital to our organization, and we’re happy that WithSecure was proactive in helping us identify and fix this problem. By working together, we were able to move quickly to ensure the issue was fixed before it was used by any threat actors to attack our customers," said Robert Nilsson, Executive Vice President of Customer Experience at Mend.io.