Security researchers from O3 Cyber present findings on a critical OIDC misconfiguration pattern affecting unicorn startups. By exploiting mutable, unverified email claims (the 'NoAuth' vulnerability class) in SSO/SAML federation flows, they were able to impersonate internal admin accounts at a billion-dollar AI company, gaining access to enterprise customer tenants belonging to Fortune 500 firms. The root cause is applications using the email claim for authorization without validating tenant, subject, and actor together. The talk connects this to the vibe coding era, where speed-to-market and AI FOMO cause security steps to be skipped. Key mitigations: never use email claims alone for authorization, validate tenant+subject+actor together, and require verified domain ownership.
Sort: