Comment by nine_k
1 month ago
It's even worse: "Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access". This goes against all principles of good security design. A token that gives root access instead of specifying a particular action allowed just invites misuse, erroneous or malicious.
I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas.
well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra secure.
And of course, because the inner JWT is already signed, why bother signing the outer one? Just validate the inner one!
I'm feeling sorry for those poor abused JWTs in this vulnerability.
They are!
But the systems that have been built around them are bad. Firstly in issuing these ‘root’ tokens at all, and secondly in not checking the claims properly.
A JWT is only as good as the systems it’s used by.