How I Found a Critical SAML Authentication Bypasson a Major Automotive Company's Dealer Portal

How I Found a Critical SAML Authentication Bypasson a Major Automotive Company's Dealer Portal | by Ousski - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I Found a Critical SAML Authentication Bypasson a Major Automotive Company's Dealer Portal INTRODUCTION: Ousski Follow ~2 min read · April 2, 2026 (Updated: April 2, 2026) · Free: Yes During a routine bug bounty reconnaissance session , i came across an exposed pre-production application that lead to one of my most impactful findings , a complete SAML authentication bypass affecting a major auto-company , including their OTA vehicle software update infrastructure Recon — how i found it: During subdomain enumeration and using Eyewitness tool to check the screenshots of discovered subdomains , one of subdomains caught my eye prestage.***.TARGET.com Navigating to the subdomain revealed a publicly accessible SAML testing tool with : No authentication required Pre-filled from fields containing real employee data including PII Internal Windows server paths exposed at the top of the page revealing the application's directory structure Authentication bypass : Using the original pre-filled values with the staging environment selected : Request: POST /sso/login Host: [TARGET] SAMLResponse=[forged assertion] Response: HTTP/2 301 Moved Permanetly Location:/Dealer/Index Following the redirect send me to Full dealer portal dashboard which i can download all the files of the OTA Impact of finding: 1. COMPLETE AUTHENTICATION BYPASS Any unauthenticated attacker can gain full access to the dealer portal network 2. SAML SIGNATURE VALIDATION ABSENT Forged assertions accepted without any cryptographic verification 3. OTA VEHICLE UPDATE SYSTEM ACCESS The portal manages Over The Air software updates for vehicles across dealerships including: — Vehicle software downloads by year/model — Update report uploads affecting warranty claims 4. ANY DEALER IDENTITY CAN BE IMPERSONATED Attacker controls all SAML attributes including dealer number, name, and employee identity 5. PRODUCTION ENVIRONMENTS AT RISK Same vulnerability path available against production environments confirmed in dropdown 6. SENSITIVE INFORMATION DISCLOSURE — Real employee PII publicly exposed — Internal server paths disclosed — Full environment architecture revealed — Internal monitoring infrastructure exposed CVSS Scoring : AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Score: 9.3 Critical Conclusion: This finding demonstrates how a single exposed internal testing tool can lead to complete authentication bypass of critical infrastructure. The combination of: - No access controls on testing tool - SAML signature validation absent - Real credentials pre-filled - Production environments exposed H1 Triage and resolved the bug #bug-hunting #cybersecurity #bug-bounty #bug-bounty-writeup Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).