Comment by VoidWhisperer

1 month ago

I feel like I remember a similar attack related to Entra ID from a while ago, although I can't remember exactly what it was (maybe [0] or [1]?).. I understand that this is a complex system, but I would be concerned with the number of relatively high severity vulnerabilities being found in it.

[0]: https://securitylabs.datadoghq.com/articles/i-spy-escalating... [1]: https://www.semperis.com/blog/unoauthorized-privilege-elevat...

2 comments

VoidWhisperer

mindcrash 1 month ago

You could get into Microsoft's tenant with any Entra account.

That's because Microsoft's own fucking developers don't even understand how Entra authentication/authorization works, and that in some/most scenarios you'll need to check if a account is actually authorized to enter a protected resource post-login (which you need to do within the Oauth login flow in the resource being accessed, nobody will do it for you).

Something I already discovered by accident (and fixed, ofcourse!) in my own SaaS service at the time (with support for Entra B2B authentication) even before this researcher discovered the same at Microsoft:

https://news.ycombinator.com/item?id=44850681

VoidWhisperer 1 month ago

Ah yeah, that eye.security post was the one I had seen before. Thanks!