| ▲ | mindcrash 4 days ago | |
You could get into Microsoft's tenant with any Entra account. That's because Microsoft's own fucking developers don't even understand how Entra authentication/authorization works, and that in some/most scenarios you'll need to check if a account is actually authorized to enter a protected resource post-login (which you need to do within the Oauth login flow in the resource being accessed, nobody will do it for you). Something I already discovered by accident (and fixed, ofcourse!) in my own SaaS service at the time (with support for Entra B2B authentication) even before this researcher discovered the same at Microsoft: https://research.eye.security/consent-and-compromise/ HN discussion thread: https://news.ycombinator.com/item?id=44850681 | ||
| ▲ | VoidWhisperer 3 days ago | parent [-] | |
Ah yeah, that eye.security post was the one I had seen before. Thanks! | ||