O365 auth bypass
Ioannis Kakavas
ikakavas at noc.grnet.gr
Thu Apr 28 04:00:57 EDT 2016
Hi Leif,
There was a vulnerability in Office 365.
I could send a "forged" SAML assertion and exploit it.
I couldn't send a forged WS-Trust token and exploit it.
I couldn't abuse the username/password authentication.
The title was intended to reflect that. ( and yes I know that "the road
to hell is paved with good intentions )
BR
Ioannis
On 28/04/2016 10:48 πμ, Leif Johansson wrote:
>
>
>>>
>>> This is being misrepresented (and >dangerously so, IMHO)
>>
>> That's an overstatement IMHO.
>
> Read the title out loud again and then say it isn't talking about SAML :-)
>
>
--
------------------------------------------------------------------
Ioannis Kakavas - ikakavas at grnet.gr
Identity and Security Engineer
GRNET Network Operations Centre
Greek Research & Technology Network - http://www.grnet.gr
56, Mesogion Av., Ampelokipi, 11527 Athens, Greece
Office: +30 2107474255
PGP Fingerprint: A5AA FB5E 740A 603B FAB1 9920 D70F 0CD5 9DE3 C262
------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://shibboleth.net/pipermail/users/attachments/20160428/9f217748/attachment.sig>
More information about the users
mailing list