Your Identity Is Mine: Techniques & Insights From OS Identity Providers Research
Nullcon Goa 2025 · Main Stage
In this compelling Nullcon presentation, "Your Identity Is Mine: Techniques & Insights From OS Identity Providers Research," Aul, a vulnerability researcher at Cyber clubs, unveils critical security vulnerabilities discovered in two widely-used open-source identity providers (IDPs): **Keycloak** and **Authentik**. The talk delves into the intricacies of web race conditions, object-relational mapper (ORM) exploitation for information leakage, and privilege escalation techniques that could allow an attacker, or even another authenticated user, to seize control over digital identities and the IDP itself.
AI review
Solid bug-hunting walkthrough covering real CVEs in Keycloak and Authentik — race condition limit bypass, ORM regex oracle for UUID extraction, and a straightforward privilege escalation via unsanitized token PUT. Competent original research with genuine CVEs and live demos, but the vulnerabilities sit squarely in known exploit classes with no novel twist on technique or tooling.