<i>Identity provider’s signing keys are probably the most powerful secrets in the modern world. For example, they are much more powerful than TLS keys.</i><p>They are in many ways equivalent to certificate authoritities' keys.<p><i>Organizations using Microsoft and Azure services should take steps to assess potential impact.</i><p>People don't seem to know that old saying about not putting all your eggs in one basket anymore.
<i>Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.</i><p>I hope it is just a coincidence that Microsoft recently renamed Azure AD to “Entra ID:” <a href="https://devblogs.microsoft.com/identity/aad-rebrand/" rel="nofollow noreferrer">https://devblogs.microsoft.com/identity/aad-rebrand/</a>
> The old public key’s certificate revealed it was issued on April 5th, 2016, and expired on April 4th, 2021, and its thumbprint matched the thumbprint of the key Microsoft listed in their latest blog post, named “Thumbprint of acquired signing key”<p>Am I reading this right? The key was expired? And still in use??
Should we just legalize the FAANGs to engage in cyber warfare/espionage against each other? Seems like then they would have to reach a minimum of best security practice instead of relying on obscurity.
It's hard to imagine many worse compromises than a foreign power getting into the email account of our representative to that power. I hope the US government is seriously rethinking the initiatives it's undertaken to move computing to major cloud providers.
> <i>Finally, we want to thank the Microsoft team for working closely with us on this blog and helping us ensure it is technically accurate.</i><p>How was it decided to release this news on a Friday?
> The full impact of this incident is much larger than we Initially understood it to be. We believe this event will have long lasting implications on our trust of the cloud and the core components that support it, above all, the identity layer which is the basic fabric of everything we do in cloud. We must learn from it and improve.<p>How about not putting everything in the cloud for starters. And I think the whole problem is not even the cloud. It's the broken capitalistic economy that in the and always begets monopolies or at least a cartel of a few big companies. Because for the long tail of small businesses it does not make sense to use products and services from the big guys. So, giving more power to the market winners ends up in too-big-to-fail companies. Yet, these big companies only have to make one mistake, one slip up, and the target surface is just too big. It's not a question if, but when such incidents will happen. Only federated services are the answer for the long term survival of society, sacrificing a part of convenience.
> customers’ applications that support the “login with Microsoft” functionality<p>That's a lot of corporate line-of-business applications though, right?<p>And it could end up being the worst part of this hack.
And there's the other shoe. Every major security incident is <i>always</i> worse than initially reported. This one probably has more gas in the tank yet.