It's even worse: "Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access". This goes against all principles of good security design. A token that gives root access instead of specifying a particular action allowed just invites misuse, erroneous or malicious.
I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas.
Oh man, I was close with this a few times as I ran powershell in different ISE windows and sometimes copied/pasted things over for different tenants, darn - it really seemed so obvious of an exploit!
failed to properly validate the originating tenant
One wonders whether those who designed all this ever considered what that field in the token is for.
The word "tenant" is also very telling --- you're just renting, and the "landlord" always has the keys.
It's even worse: "Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access". This goes against all principles of good security design. A token that gives root access instead of specifying a particular action allowed just invites misuse, erroneous or malicious.
I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas.
Absolutely insane. Security so weak, it seems like you discovered an intentional backdoor.
My NSL detector is off the charts here.
I imagine this paid out quote the bounty; exploited, it's hard to think of a more damning security flaw.
Wow the keys to all the enterprise castles! That’s wild!
Oh man, I was close with this a few times as I ran powershell in different ISE windows and sometimes copied/pasted things over for different tenants, darn - it really seemed so obvious of an exploit!
Was there a bounty?