• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • 🎉 WHV has crossed 14,000 monthly views and 157,000 clicks per month, as per Google Analytics! Thank you for your support! 🎉

Microsoft Entra ID Bug Could Let Hackers Take Over Any Company Tenant

johny899

New Member
Content Writer
Messages
338
Reaction score
3
Points
23
Balance
$354.2USD
A major news came to my attention: a vulnerability in Microsoft Entra ID allowed hackers to take control of the account system for any organization. Not just limited access, but full administrator access. This means they were able to change passwords, add users to the system, and even block legitimate administrators. So it would be analogous to someone stealing the master keys to an office.

What caused the vulnerability​

Entra ID (previously known as Azure Active Directory) manages logins and permissions for a wide range of organizations. A security researcher discovered that two older features posed a significant risk.

  • Actor tokens were operational for 24 hours, couldn’t be revoked after issued, and bypassed security checks.
  • The old Azure AD Graph API didn’t properly validate that the request was from the correct company.
  • This allowed hackers to pretend to be part of any company.
In short, hackers could impersonate anyone within your organization, including the top admin. Even worse, many actions weren’t logged and the victims might never know.

Here is how the hackers executed the attack, step by step:

1. The hacker created an actor token in their account.

2. The hacker found the tenant ID of the target company (which is very easy to look up).

3. The hacker found a user's netID within the company.

4. The hacker used the token and those identifiers to spoof the old API.

5. Within seconds, they were logged in as a Global Admin of the company.

It seems unbelievable, right? Like finding a hiding spare key under the mat and using it to access someone else's house.

What Microsoft did​

Fortunately, Microsoft was aware and moved quickly:

  • The flaw was fixed within one week
  • The old API started being shut down
  • They will eventually get rid of the actor token entirely
  • They began asking developers to use the new Microsoft Graph API
This is a good example of how dangerous it is to continue to use the "old" way of doing things just because it "still works."

Why this is important for all of us​

If your organization is using Entra ID, this flaw is definitely important to consider. The threat of admin takeovers is about as severe as you can get, and this attack could occur without a soul being aware of it.

Conclusion​

This vulnerability reminds us that one weak link can put everything at risk. Microsoft issued a patch to fix this vulnerability, but we should all take note: keep systems current and decommission tools while they are still on your platforms and you have time to develop a remediation plan.
 
You must log in or register to reply here.
Menu
Log in
Register