Microsoft government email compromised (and quietly fixed) (msrc.microsoft.com) 21 points by deckiedan 3y ago ↗ HN
[–] donmcronald 3y ago ↗ > They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key.How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?A compromised key that can sign authentication tokens seems like a pretty big deal. [–] hermanb 3y ago ↗ It would be pretty interesting if they shared some more detail on this indeed. I was wondering the same when I read “forged” elsewhere.How can you forge a token? Did they use quantum machinery to retrieve a JWT Private Key? Did they factor RSA keys?But no, they used a bug/weakness to exchange a token.
[–] hermanb 3y ago ↗ It would be pretty interesting if they shared some more detail on this indeed. I was wondering the same when I read “forged” elsewhere.How can you forge a token? Did they use quantum machinery to retrieve a JWT Private Key? Did they factor RSA keys?But no, they used a bug/weakness to exchange a token.
[–] nonfamous 3y ago ↗ Actual title of linked article: "Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email"
3 comments
[ 1.3 ms ] story [ 20.2 ms ] threadHow does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?
A compromised key that can sign authentication tokens seems like a pretty big deal.
How can you forge a token? Did they use quantum machinery to retrieve a JWT Private Key? Did they factor RSA keys?
But no, they used a bug/weakness to exchange a token.