The Postman: A Journey of Ethical Hacking in PosteID/SPID Borderland
Gabriele Costa
TL;DR
This paper details an ethical hacking case study on PosteID, revealing a critical privilege escalation vulnerability in Italy's digital identity system, and discusses the technical and disclosure process involved.
Contribution
It provides a comprehensive case study of vulnerability assessment and responsible disclosure in a national digital identity platform.
Findings
Discovered a critical privilege escalation vulnerability in PosteID
Vulnerability was successfully patched after disclosure
Provides technical details and ethical hacking methodology
Abstract
This paper presents a vulnerability assessment activity that we carried out on PosteID, the implementation of the Italian Public Digital Identity System (SPID) by Poste Italiane. The activity led to the discovery of a critical privilege escalation vulnerability, which was eventually patched. The overall analysis and disclosure process represents a valuable case study for the community of ethical hackers. In this work, we present both the technical steps and the details of the disclosure process.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsEthics and Social Impacts of AI · Big Data Technologies and Applications · Misinformation and Its Impacts