Total Cloud Security Blog

Catch & Release Phishing

By Nat Kausik | October 9, 2015 at 11:04 AM

Last week we looked at US Patent 9,137,131 where a CASB vendor had patented the notion of forcing users to enter their corporate passwords into a proxy.   As we noted then, this eviscerates the SAML standard which is built on the premise that users will only enter their passwords into a trusted identity provider, requiring all third-parties defer authentication to the identity provider via a SAML assertion.   We also noted that training users to enter their corporate credentials into a proxy pretty much guarantees a data breach.   Indeed, the Anthem Breach, Premera Breach and the JPMorgan Breach were all caused by employees entering the corporate credentials outside of the trusted identity provider.   Clearly, US Patent 9,137,131 is not one that will be infringed by any security product. 

But we were wrong.  During our work with a customer, we came upon another CASB that requires users to enter their credentials into a proxy as part of their integration with single-sign-on.    This particular customer showed us an integration of ADFS and the CASB, where users are required to enter their ADFS corporate credentials into the proxy.     The URL of the proxy has a valid certificate of course, but no visible connection with the corporate identity.  Users enter their credentials into the proxy, which then passes them on to the ADFS identity provider.  This trains the user to enter their credentials into a proxy.  And risks leakage of the credentials in the clear at the proxy.  Catch and release phishing!

We recommended the customer remedy the situation ASAP.  As of this writing, the vendor has not been able to fix the issue.