This study presents the first systematic security assessment of PosteID—the Italian public digital identity system implementing the SPID framework—with a focus on privilege escalation vulnerabilities. Employing black-box testing, HTTPS traffic analysis, SAML/OIDC protocol reverse engineering, and permission model validation, the evaluation was conducted under strict ethical and compliance guidelines. A critical privilege escalation vulnerability was identified, responsibly disclosed, and independently verified by the PosteID team, which acknowledged the contribution and confirmed its remediation. The contributions are threefold: (1) establishing the first government-grade security assessment methodology tailored to the SPID ecosystem; (2) proposing an integrated evaluation approach combining protocol reverse engineering with formal permission modeling; and (3) advancing reusable best practices and standards for securing public digital identity systems. This work bridges theoretical protocol analysis with real-world identity infrastructure security, offering actionable insights for policymakers, identity providers, and security practitioners.

This paper presents a vulnerability assessment activity that we carried out on PosteID, the implementation of the Italian Public Digital Identity System (SPID) by Poste Italiane. The activity led to the discovery of a critical privilege escalation vulnerability, which was eventually patched. The overall analysis and disclosure process represents a valuable case study for the community of ethical hackers. In this work, we present both the technical steps and the details of the disclosure process.