A (12:33)

This message may be shocking to many millennials. If you are one, you might want to sit down. Right now, loads of people are searching the following on Depop Low rise jeans, halter top, velour tracksuit, hookah shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop where taste recognizes taste.

C (13:03)

So good, so good, so good.

A (13:06)

Give big, Save big with Rack Friday deals at Nordstrom Rack For a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save on gifts for everyone on your list from brands like Vince Cole, Han, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom Rack today.

B (13:35)

Eric Woodruff is chief Identity Architect at Sempris. In today's sponsored Industry Voices segment, we discuss their report. No AUTH Abuse Alert, Full Account Takeover.

C (13:47)

If an application is vulnerable to no auth like a SAS application, if you know, you know the victim or target's email address, you can essentially sign in to the vulnerable SaaS application as that person. And you don't have to phish them or have any interaction. You just need to know what their email address is.

B (14:10)

And you found that a sizable percentage of applications are vulnerable to this?

C (14:18)

Yeah, I mean, the testing of it is I'd say it's tough, right? So when we're going through applications, you really have to sort of understand the context of the application, Right. To determine if it's vulnerable. But yes, out of, you know, the initial round we had was, you know, I think 10, 17 apps that we were looking at and we found like we could test 104 of them and there was nine that were vulnerable. Right. And that comes out to, you know, roughly 9% ish that were vulnerable. We also have done more research since we first published that that is going to be coming out soon where we tested another 38 applications and again found two that were vulnerable there. Right. So that's roughly 5%. So you know, 5% might not seem like a lot, but if you think of the number of applications out there. Right. The number would certainly grow.

B (15:12)

Yeah, I guess at the core of this is the notion that using an email address as a unique identifier has a certain amount of risk associated with it.

C (15:23)

Yeah, I mean, so with, with no auth. I mean at the core of it, it's developers, no offense to developers, but not following the spec for OpenID Connect. And so again, without getting too nerdy, with an OpenID Connect, there's certain attributes like about a user account that in Microsoft's implementation are immutable. Right. So it guarantees that nobody could forage this or mimic, you know, this attribute that identifies, you know, you or me in the app. But developers might take a shortcut or they might not understand OpenID connect or understand the consequences around it and they'll say, oh well, we're just going to key off of email. Right. So if I see, you know, Dave Bittner, Eric Woodruff come in with our email addresses, then, yep, like that's, that's gotta be this person. But the problem is in the entra world, email is not a immutable attribute. There's valid reasons why someone might have an email address that is different than their actual username.

B (16:25)

So, well, walk me through this then. If I'm an attacker and I have access to an entra tenant and I've got the target's email address, what happens next?

C (16:39)

Yeah, so, right, so you've found an application that's, that's vulnerable to this. And so as an attacker, you go stand up an entra tenant, you create, you know, some dummy user, it doesn't really matter what the user is, and then you just set the email address to whoever your target is. Right. So in our research before, we found there was an HR platform that was vulnerable. Right. So you know, if I'm putting my hacker hat on, I know the platform is vulnerable. These days it's easy to go on LinkedIn and try to find, you know, who's customers of this platform and then I find their customers and then it's easy to figure out probably who their HR admin is. Right. So knowing An HR admin is going to have access to a lot of, you know, juicy data in the system. I'll put their email address in and then essentially I just browse to the application and sign in. But again, because the application is just comparing email addresses, it's going to think I'm the HR administrator and give me access to whatever they have access to.

B (17:43)

Help me understand the cross tenant angle here. Exactly what's going on?

C (17:48)

If you think of it in the sense that the application is just looking at a token that comes from entra. Right. And so again, in these scenarios, it's just looking at the token, it's looking for an email address attribute in it. Right. So when we're talking cross tenant, it's an abuse that can happen outside of like the legitimate customers tenant because it's the application that's sort of like the problem here. Right. So whether it's coming from a legitimate tenant or the attacker tenant, this token, which is just sort of encoded data that will have your first name, your last name, email address, it's just looking for email and it's like, oh, this address matches this user. So, yep, you're allowed in as that user, if that makes sense.

B (18:37)

Yeah, as you say, I mean, there's a lot of technical details here, but can we talk a little bit about the story of the testing that you did? You all looked at just over 100 apps and as you mentioned, you found nine of them were vulnerable. Was there a particular methodology for selecting the apps? And I guess question B is how do you go about testing this ethically?

C (19:01)

Yeah, no, those are good questions. So to the first point. So the initial round of testing, we basically went through the Microsoft entry gallery, which is just a listing of applications that vendors, software vendors can put their app in there to sort of make it more, you know, visible for use. So from that list, like we were basically looking for anything that had, you know, a trial, some sort of self service sign up that didn't require, you know, credit cards or having to pay money or something. And this system would let you trial it. So that kind of whittle it down to like the hundred and then of the hundred. Right. Basically what we would do is so we have our attacker tenant that we control and our quote, legitimate user tenant that we control. So we would sign up right, with like a legitimate user that, you know, we control and just some lab tenant, you know, get the trial set up for whatever it is. And again, if the system would allow you to place some bit of data or do something. Right. So that we could sort of like Mark, so to speak, that like, you know, this is. We've done something in this demo because you can't always tell from just like looking at, you know, the user interface. Then we sort of go over to the attacker tenant. We'd go to sign into the same application again with the email address set to our quote, victim. And if we get in, we would just sort of poke around at the interface again, if we had data in there, we could easily see. Oh, right. Like this is the same thing. Like in the HR scenario, when we sign in as the attacker, we saw like the dummy users that we added. In other times it wasn't as simple and maybe you'd have to poke around the interface a little bit for the application to determine if the accounts are sort of one and the same in the app. And I'll just say to your other question about testing ethically, actually maybe I've answered it in there. Right. So we have no intention of trying to get into anything we're not supposed to have access to. So that's where we also wanted things that we could sign up for, trials for. Right. So that way we're making sure that we're only really attacking ourselves and we're not doing anything with, you know, real people or data.

B (21:11)

Yeah. Your research points out that this is particularly hard to spot. Why is that? What makes it so hard?

C (21:20)

Well, I mean, I'll say like, and when I've, when I've spoken about this at conferences, like, the customer is kind of stuck in the middle here. Right. So because the attack is originating from a different tenant than theirs. Right. All the conditional access, any security things that you might do in your Entra ID or your Microsoft 365 is essentially rendered useless because the authentication is happening up in the attacker tenant that you have no control over. You're not going to have any visibility in your entra. And then really it's only on the app developer side of things where they're going to have, you know, whatever logs they're keeping. Right. But again, applications aren't, you know, it's not the greatest strength, right. In having log data in there and even then. But if an app developer, many times we were asked like, well, what could the app developer do to like, check for this? And we're like, well, they should just fix their application. And not to get on a tangent, Right. But the thing is, like, an app developer isn't going to be looking for if they're vulnerable to this in the sense that if, like they knew they were vulnerable to this. I mean, hopefully, right, they would go change their code. So it is something they can fix in the app. Sorry for getting.

B (22:42)

I think you're making a really good point here. I mean, it seems to me like there's a vendor accountability aspect here. Should customers be asking specific questions to their SaaS vendors?

C (22:55)

Yeah, I mean, right. It feels tough because part of me wants to say, absolutely, right. Like if you go to buy a SaaS application or procure one, you should ask the vendor if they're vulnerable to this and link to our work or descopes not to tell ourselves just because we're the ones who sort of explain the problem. But I mean, that could also get heavy to sort of ask your SaaS app vendor if they are vulnerable to this and then it could become a laundry list of all these things. But yeah, I mean, it's tough because, right. Microsoft basically says it's a developer problem and developers aren't going to know that they're vulnerable to it, right. If they don't know. So, yeah, I mean, it's a tough spot for customers because it's also not feasible for customers to write like, go test every application that they procure for this because, you know, it might be easy for researchers to sort of repeat this stuff, but I wouldn't expect your everyday IT pro to kind of go do this in, in something they're trying to procure.

B (24:00)

What about Microsoft? What, what part do they have to play in all of this?

C (24:05)

Yeah, I mean, so Microsoft, right, Had. So when descope had released their research, Microsoft had published an article again in June 2023, basically explaining, you know, a path to mitigate this. Right? So they're like, if you are vulnerable to this, here's how to go, like, fix your SaaS app so it's not vulnerable to this. And they also said at the time that they contacted some app owners that they believe are vulnerable and help them work that out. And that's all great. The problem is they still sort of point the finger back at developers, right? And I guess I'll say from Microsoft's perspective, just because you have the email address is a claim doesn't mean that the app itself is vulnerable. Right? And I think that's sort of how they say, like, right, they don't even know or they can't really tell, right. If all these apps are vulnerable and that's why they tend to push it back on the app devs. And, you know, I, I get it, but I think the problem is, right, it's one of those things like where if you don't know, you don't know. Right. So all the devs that don't know their app is vulnerable probably isn't out there, you know, consuming this information from msrc, you know, about mitigating it. So. Right.

B (25:21)

Needs to be a detection tool. Yeah. How severe do you rate this? How serious should we consider it?

C (25:31)

So we rate it severe. So, and I'll say again, so recently we opened another case with Microsoft because we have a bit of a new finding where one of the applications that we've tested this round had integrations with Office 365 or Microsoft 365. And so in our testing, what we basically did is we get it, we went into the SaaS app, right, that was vulnerable as the attacker and it allowed us to send email, read contacts, do other things as this user in Microsoft 365. And again, we sent emails out to other, you know, of our own test users. Right. To basically prove that you can almost pivot, right, from a vulnerable SaaS app back into Microsoft 365 again relative to whatever permissions that app might have there. So we decided to open a case with MSRC and they came back saying that they find this to be a moderate severity. And they gave us a blurb that, you know, they've notified sort of like downstream service owners. They don't specify. I'm assuming they're talking about like the Exchange and SharePoint online teams. Right. And things like that. And you know, they might put additional defense in depth things in place down the road and then the case was closed. So Microsoft is saying it's moderate but you know, we still stand by it being severe. Right. Because in the HR example, right, it's going to be pii. It's going to be a whole ton of sensitive data that nobody's going to want out there in these examples, right. It's whatever the data is in the SaaS app, right. However critical that data is to you, effectively is how severe this vulnerability would be. Right. If your application was vulnerable.

B (27:15)

That's Eric Woodruff from Sempris.

A (27:32)

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive. In blue cruise enabled vehicles like the F150 Explorer and Mustang Mach E available features on equipped vehicles terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. Running a business comes with a lot of what ifs, but luckily, there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses, including Thrive Cosmetics and Momofuku, and it'll help you with everything you need, from website design and marketing to boosting sales and expanding operations. Shopify can get the job done and make your dream a reality. Turn those what ifs into Sign up for your $1 per month trial at shopify.com specialoffer.

B (28:38)

Tell me, doctor, where are we going this time? And finally, a power outage near Boulder, Colorado Bridge briefly put the USA's National Institute of Standards and Technology in the awkward position of having very precise clocks and slightly unreliable electricity. According to NIST physicist Jeffrey Sherman, who is cheerfully paid to watch the clocks all day, the outage disrupted the atomic timescale that underpins NIST's network time protocol services, a quiet but critical backbone of the Internet. The problem was not just losing power. Backup generators kept systems running, meaning inaccurate time could still be broadcast. Sherman even considered disabling the generators, a sentence that probably does not appear often in federal incident reports. Severe storms prevented access to the site, adding weather to the list of adversaries of atomic precision. The good news is the clock drift stayed within a few microseconds, an eternity for physicists but negligible for most Internet users. Services were fully restored within a day, right on time, more or less. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilty is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sa.