Monday, August 08, 2011

Security Flaw with IU CAS-Enabled Web Sites

There is a security flaw in many of IU's online services (such as the time off system and the document workflow approval system--see http://kb.iu.edu/data/akui.html): they use CAS for single-sign on but don't provide a CAS "log off". If you log into one of these services, you are logged into every CAS-enabled service until your session expires, perhaps without realizing it.  The only way I know to log off after CAS login is to go through IU's OneStart portal, which does have a CAS log-off.

For example, if you login to the EPTO service to record your time off, you are also logged into OneStart and everything else.  If you leave your laptop or workstation unattended while the CAS session is still valid, I can sneak over and access all of your private employee information by pointing your browser to OneStart.