Simple SSO security - user can change company and phone


I'm trying Simple SSO Security and I found a security Issue.

Indeed, the Phone & Company could be set in the SSO Url but it's not include in the HASH. So If I intercept the http request, I can change my phone and company.

The phone is not really important for me, but I would like to separate solutions, articles & ticket between company. With this, I can't be sure that a customer will not try to access ticket or article from other company.

1 person has this problem

Thanks. We are looking into this.



Freshdesk Product Management

I also reported this in a ticket around 10 Feb. and got the response "This is the expected behaviour in case of simple SSO. One way to avoid this would be to use SAML SSO." (In SAML everything is cryptographically signed, as far as I understand.) I set up a SAML identity provider just for this, and it's working OK, but it would be better to have the simple hash-based SSO include all details in the hash so that they are all secure.