Hi,
We use SSO internally for our Freshservice platform. I've noticed that its extremely easy to log into someone else's account if you have the hash but putting it at the end of the URL, for example "&hash=8c4ceaa5ba06561b2cf5ac66f88d7d49" (this is not a legitimate hash).
There are no controls on how this hash can be used so I can litterally walk up to another machine and use that hash to log in as an agent. Surely this hash should be stored and processed more securely?