"Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all,"
"This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer."
"We don't need to guess what the impact may have been; we saw two years ago what happened when Storm-0558 compromised a signing key that allowed them to log in as any user on any tenant,"
"With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,"
An internal impression token mechanism can bypass identity controls such as conditional access and logs, enabling unauthorized access. The vulnerability could allow an attacker to add themselves as the highest privileged admin in a tenant and gain full access to any Microsoft service that uses EntraID for authentication. A prior incident, Storm-0558 in July 2023, involved theft of a signing key that permitted generation of authentication tokens and access to cloud Outlook accounts, including US government departments. Microsoft expanded protections and instituted the Secure Future Initiative to accelerate vulnerability response and strengthen cloud security defenses.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]