Recent research has uncovered two new vulnerabilities in Azure Entra ID that allow attackers to bypass sign-in logs, potentially compromising the ability of administrators to detect unauthorized access attempts. These vulnerabilities, identified as the third and fourth instances of such bypasses, were recently addressed by Microsoft.
Overview of the Vulnerabilities
By exploiting specific parameters in the Azure authentication process, attackers could retrieve valid tokens without these attempts being recorded in the Azure Entra ID sign-in logs. This logging is crucial for administrators who rely on it to monitor and respond to potential security incidents.
Details of the Bypasses
The newly identified bypasses, termed GraphGoblin and another unnamed method, follow previous vulnerabilities known as GraphNinja and GraphGhost. The earlier bypasses allowed attackers to validate passwords without generating logs, while the latest findings enable the retrieval of functioning tokens.
GraphGoblin was discovered during testing of the scope parameter in the authentication POST request. By submitting an excessively repetitive valid scope, the bypass was achieved, resulting in no new entries in the sign-in logs. This method effectively obscured the authentication attempts from administrative oversight.
Previous Bypass Methods
In the earlier GraphNinja method, attackers could target a foreign tenant with an authentication attempt, confirming password validity without generating logs in the victim’s tenant. GraphGhost involved providing an invalid Client ID, which caused the authentication flow to fail after password validation, again leaving no trace in the logs.
Response and Mitigation
Microsoft has addressed these vulnerabilities through updates that enhance logging capabilities. For instance, additional details have been incorporated into the sign-in logs to indicate whether a password validation was successful. However, the specifics of how these latest bypasses will be mitigated remain unclear.
As organizations continue to rely on Azure for authentication, understanding these vulnerabilities is essential for maintaining security and ensuring that logging mechanisms are robust enough to detect unauthorized access attempts.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
