Family Matters : Abusing Family Refresh Tokens to Gain Unauthorised Access to Microsoft Cloud Services Exploratory Study of Azure Active Directory Family of Client IDs
Cobb, R., Larcher-Gore, A., & Syynimaa, N. (2022). Family Matters : Abusing Family Refresh Tokens to Gain Unauthorised Access to Microsoft Cloud Services Exploratory Study of Azure Active Directory Family of Client IDs. In J. Filipe, M. Smialek, A. Brodsky, & S. Hammoudi (Eds.), ICEIS 2022 : Proceedings of the 24th International Conference on Enterprise Information Systems : Volume 2 (pp. 62-69). SCITEPRESS Science And Technology Publications. https://doi.org/10.5220/0011061200003179
Date
2022Copyright
© 2022 by SCITEPRESS – Science and Technology Publications, Lda.
Azure Active Directory (Azure AD) is an identity and access management service used by Microsoft 365 and Azure services and thousands of third-party service providers. Azure AD uses OIDC and OAuth protocols for authentication and authorisation, respectively. OAuth authorisation involves four parties: client, resource owner, resource server, and authorisation server. The resource owner can access the resource server using the specific client after the authorisation server has authorised the access. The authorisation is presented using a cryptographically signed Access Token, which includes the identity of the resource owner, client, and resource. During the authorisation, Azure AD assigns Access and Id Tokens that are valid for one hour and a Refresh Token that is valid for 90 days. Refresh Tokens are used for requesting new Access and Id token after their expiration. By OAuth 2.0 standard, Refresh Tokens should only be able to be used to request Access Tokens for the same resource ow ner, client, and resource. In this paper, we will present findings of a study related to undocumented feature used by Azure AD, the Family of Client ID (FOCI). After studying 600 first-party clients, we found 16 FOCI clients which supports a special type of Refresh Tokens, called Family Refresh Tokens (FRTs). These FRTs can be used to obtain Access Tokens for any FOCI client. This non-standard behaviour makes FRTs primary targets for a token theft and privilege escalation attacks.
...
Publisher
SCITEPRESS Science And Technology PublicationsParent publication ISBN
978-989-758-569-2Conference
International Conference on Enterprise Information SystemsIs part of publication
ICEIS 2022 : Proceedings of the 24th International Conference on Enterprise Information Systems : Volume 2ISSN Search the Publication Forum
2184-4992Keywords
Publication in research information system
https://converis.jyu.fi/converis/portal/detail/Publication/144286150
Metadata
Show full item recordCollections
License
Related items
Showing items with similar title or keywords.
-
Exploring Azure Active Directory Attack Surface : Enumerating Authentication Methods with Open-Source Intelligence Tools
Syynimaa, Nestori (SCITEPRESS Science And Technology Publications, 2022)Azure Active Directory (Azure AD) is Microsoft’s identity and access management service used globally by 90 per cent of Fortune 500 companies and many other organisations. Recent attacks by nation-state adversaries have ... -
Anomaly detection approach to keystroke dynamics based user authentication
Ivannikova, Elena; David, Gil; Hämäläinen, Timo (IEEE, 2017)Keystroke dynamics is one of the authentication mechanisms which uses natural typing pattern of a user for identification. In this work, we introduced Dependence Clustering based approach to user authentication using ... -
Secure and coherent external user identity management
Kähtävä, Konsta (2023)Pro gradu käsittelee ulkoisten identiteettien hallintaa kohdeyrityksessä. Identiteettien hallinnan tärkeys yritysten tietoturvan hallintamekanismina korostuu päivä päivältä. Identiteetin hallinnan tärkeys korostuu varsinkin ... -
Authorized authentication evaluation framework for constrained environments
Poikolainen, Janne (2016)Internetin kasvu ei perustu tällä hetkellä vain uusien solmujen määrään, vaan Internet on levittäytymässä aivan uusille alueille. Viimeaikoina erilaiset tavat kerätä tietoa ja ohjata laitteita uusin tavoin ovat yleistyneet ... -
“The law that mandates us is stronger than the consumer's rights” : what are the decisions related to authentication method selection?
Tonteri, Heidi (2023)Loppukäyttäjän tunnistusmenetelmien valinnalle on olemassa erilaisia viitekehyksiä, mutta yksikään niistä ei ota kantaa organisaation näkökulmaan turvalliseen ohjelmistokehitykseen liittyen. Tutkimuksen tarkoituksena oli ...