It's even worse: "Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access". This goes against all principles of good security design. A token that gives root access instead of specifying a particular action allowed just invites misuse, erroneous or malicious.

I would expect these tokens to be like JWT or macaroons, carrying specific permissions within specific bounds / tenants. Alas.

▲

milkshakes 4 days ago | parent | next [-]

well, you're in luck, they are JWTs in fact. JWTs in JWTs, so extra secure.

	▲	Freak_NL 4 days ago \| parent [-]
		And of course, because the inner JWT is already signed, why bother signing the outer one? Just validate the inner one! I'm feeling sorry for those poor abused JWTs in this vulnerability.

▲

Nursie 4 days ago | parent | prev [-]

They are!

But the systems that have been built around them are bad. Firstly in issuing these ‘root’ tokens at all, and secondly in not checking the claims properly.

A JWT is only as good as the systems it’s used by.