6 comments

[ 3.8 ms ] story [ 27.8 ms ] thread
> In several recent investigations of SaaS security incidents, the Obsidian threat research team identified a novel attack vector in the wild: abuse of the Azure AD self-service password reset (SSPR) feature.

What a lie. What a self-serving baldfaced lie. I have a record of my report to GitLab on August 12, 2021 regarding the same SSPR vulnerabilities. Hey Obsidian: email account takeovers work just like a SIM swap. I can name at least two more sites that are vulnerable. I've disclosed to the site owners, so I'm just politely waiting out the 90 days or so before going public.

Prior discussion right here from yours truly: https://news.ycombinator.com/item?id=36726414

They just claim to have identified abuse of an "SSPR" attack happening against Azure AD in the wild. What part is a lie?
No, you've added a word, and left out a different word. They claim to have "identified a novel attack vector".

https://www.cloudflare.com/learning/security/glossary/attack...

An "attack vector" is not necessarily a TTP used by threat actors, it is a way in. Whether it is used or unused, an attack vector is an attack vector.

Yes, they've documented threat actors actively using it. And SSPR used against several other services before this one. But the claim is in the lede sentence: "novel attack vector".

I think you're taking their choice of a single word a bit too seriously, and dare I say, personally. I don't think they're claiming to be the first to have ever discovered this attack vector, nor are they trying to steal credit from you. And while "novel" might not be the best word choice, in common parlance it need not mean "unique," and can just as well mean "unusual." In fact the dictionary definition of "novel" literally includes "unusual" ("new or unusual in an interesting way").
Your dictionary definition / denotation is not the connotation "novel" has in research.
Yea, agree with this guy. Anyways I took "novel attack vector" to just mean "first time we've heard of using SSPR against AD". They even used the existing acronym "SSPR", so they're not claiming to have discovered the attack vector or anything.