Details of a recent XML signature vulnerability.
How Apple broke "Sign in with Apple" with an unannounced and silent redirect
At BoxyHQ (now part of Ory), security is a top priority. Recently, a vulnerability was disclosed in a library we use. Thanks to coordinated efforts between our team, Alexander Tan, library maintainer Chris Barth, WorkOS, and other vendors, we patched the issue efficiently and responsibly.
No customers were affected, and our multi-tenancy security measures provide additional protection against such risks.
This vulnerability allows an attacker to bypass XML signature verification by injecting an XML comment within the <DigestValue> element. As a result, an altered or malicious XML document could be accepted as valid, potentially leading to security risks such as data manipulation or authentication bypass.
The issue has been patched by ensuring strict parsing and validation of <DigestValue>.
This flaw occurs when an XML signature contains multiple <SignedInfo> references, leading to ambiguity in the verification process. An attacker could exploit this to trick the verification mechanism into validating a signature against an unintended portion of the document.
The fix enforces stricter handling of <SignedInfo> references to prevent such bypass techniques.
These vulnerabilities underscore the importance of robust XML signature verification to prevent tampering and unauthorized access.
Security vulnerabilities are inevitable in software, but how we handle them makes the difference. Our process prioritizes transparency, collaboration, and rapid remediation:
This structured approach ensured a swift response while minimizing risks.
Cybersecurity thrives on collaboration. Alexander’s responsible disclosure, the maintainer’s prompt response, and vendor cooperation were instrumental in resolving this issue effectively. Open collaboration strengthens the software ecosystem, enabling us to respond proactively to threats.
We appreciate the collective effort that made this fix possible—special thanks to Alexander Tan and WorkOS for their contributions. Our commitment to security remains unwavering, and we encourage developers and researchers to engage in open dialogue about potential risks.
For security concerns, contact us at [email protected]. A detailed blog post on the exploit and mitigation will be released soon.
Thanks to everyone who contributed to resolving this issue!
