“Microsoft has built security controls around identity such as conditional access and logs, but this internal impression mechanism bypasses them all,” says Michael Bargury, the CTO at security company Zenity. “This is the most impactful vulnerability that you can find in an identity provider, making every customer a full compromise possible.”
If the vulnerability was discovered by or in the hands of malignant hackers, the fall -out could have been devastating.
“We don't have to guess what the impact might have been; we saw what happened two years ago when Storm-0558 endangered a signing key, so that they log in like a user on a tenant,” says Bargury.
Although the specific technical details are different, Microsoft revealed in July 2023 that the Chinese CyberSpionage group that was known as Storm-0558 had stolen a cryptographic key with which they could generate authentication dockens and have access to cloud-e-mail systems for cloud-based outlook-e-mailstemen, including those from US government.
In the course of a few months, a Microsoft postmortem revealed various errors in the Storm-0558 attack that led to the Chinese group sliding past cloud defenses. The security incident was one of a series of Microsoft problems around that time. These motivated the company to launch its “Secure Future Initiative”, which extended the protection for cloud protection systems and set more aggressive goals to respond to disclosure of vulnerability and the publishing of patches.
Mollema says that Microsoft responded greatly to his findings and their urgency seemed to understand. But he emphasizes that his findings could have had malicious hackers even further than at the 2023 incident.
“With the vulnerability you could simply add yourself as the highest privileged admin in the tenant, so then you have full access,” says Mollema. Every Microsoft Service “that you use healing to register, whether it is Azure, or that is SharePoint, or that is exchange – that could be endangered with this.”
This story originally appeared on Wired.com.
