23

We have a portal which uses Windows Integrated auth that lists out all off our internal sites.

Navigating to any of these produces a URL like the one in the attached image.

Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.

So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.

Fucking nuts.

Comments
Add Comment