WithSecure, Mend.io patch vulnerability in popular application security platform

Press Release  |  September 5, 2023

Vulnerability could have exposed potentially compromising security information about Mend.io customers.

Helsinki, Finland – September 5, 2023: Today, WithSecure™ (formerly known as F-Secure Business) published a security advisory warning organizations of a vulnerability the company discovered in Mend.io’s application security platform.

Mend.io’s platform helps software developers identify and remediate vulnerabilities and security issues found in code libraries. According to Mend.io’s website it has more than 1,000 customers, including 25 percent of the Fortune 100.

WithSecure™ personnel discovered a problem with Mend.io’s security assertion markup language (SAML) login option, which is a type of single sign-on authentication that allows users to access a variety of online services with a single set of login credentials.

The vulnerability discovered by WithSecure™ could have allowed a Mend.io customer, acting as an attacker, to use the vulnerable SAML implementation to access the data of a subset of other Mend.io customers in the same software-as-a-service (SaaS) environment by guessing or otherwise obtaining a valid email address from a targeted organization. Mend.io has numerous SaaS environments, with many customers in isolated environments.

While the data contained in Mend.io accounts would vary between companies, its use as an application security platform makes it likely that attackers could use the information to plan targeted attacks against vulnerable pieces of software they could identify from Mend.io’s data.

“Basically, the single sign-on service would accept any legitimate customer’s email address without any additional authentication. Attackers would only need to get a Mend.io account in a specific SaaS environment, configure it to accept the single sign-on authentication method, and then use an email address for the target company’s account—steps which are all doable by today's cyber criminals,” said WithSecure™ Chief Architect Ari Inki.

WithSecure™ contacted Mend.io with their concerns in May 2023. Mend.io responded promptly to confirm WithSecure’s findings, and the two companies began working on a fix, which has now been implemented into the platform.

“Securing our customers’ data is vital to our organization, and we’re happy that WithSecure was proactive in helping us identify and fix this problem. By working together, we were able to move quickly to ensure the issue was fixed before it was used by any threat actors to attack our customers,” said Robert Nilsson, Executive Vice President of Customer Experience at Mend.io.

More information on the vulnerability is available on WithSecure™ Labs: https://labs.withsecure.com/advisories/mend-cross-tenant-access.

WithSecure™ media relations
Adam Pilkey

About WithSecure™

WithSecure™, formerly F-Secure Business, is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust us for outcome-based cyber security that protects and enables their operations.

Our AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks. Our consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, we’ve built our portfolio to grow with our partners through flexible commercial models.

WithSecure™ Corporation was founded in 1988, and is listed on NASDAQ OMX Helsinki Ltd.