"Dutch security researcher Dirk-jan Mollema discovered a critical vulnerability in Microsoft Entra ID that allowed full access to every tenant in the world. Microsoft fixed the problem within days of being notified. The flaw consisted of undocumented impersonation tokens and a validation error in the old Azure AD Graph API. With this vulnerability, a successful attack would remain completely invisible. This is because there was no logging for requesting Actor tokens. Even if there had been, it would only appear in the attacker's tenant, not in the victim's."
"The vulnerability consisted of two components that, when combined, could be catastrophic. First, there were undocumented "Actor tokens" that Microsoft uses internally for service-to-service communication. These tokens were not subject to security policies such as Conditional Access. Second, the outdated Azure AD Graph API contained a critical error when validating the original tenant. This allowed these tokens to be used for cross-tenant access. With a token from his own lab, the researcher could impersonate any user in other tenants, including Global Admins. "Effectively, this meant that with a token from my lab tenant, I had full access to every other tenant in the world," according to the findings."
Undocumented Actor tokens used for internal service-to-service communication were not subject to Conditional Access and had no tenant-level logging. The legacy Azure AD Graph API contained a validation error for the original tenant, allowing those Actor tokens to be accepted cross-tenant. Because requesting Actor tokens produced no logs visible to victims and Azure AD Graph lacks API-level logging, successful attacks would remain invisible or only appear in the attacker's tenant. Attackers could access user and group data, tenant settings, applications, BitLocker keys, and impersonate Global Admins to modify objects, settings, and grant themselves Azure rights. Microsoft deployed a fix within days.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]