Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
8 hours ago
- #Microsoft Vulnerabilities
- #Azure Security
- #Log Bypass
- Nyxgeek discovered two new Azure Entra ID sign-in log bypasses, GraphGoblin and Graph******, which allowed attackers to retrieve valid tokens without logging the activity.
- GraphGoblin exploited repeated scope values (e.g., 'openid openid openid') to bypass logging, likely due to SQL column overflow.
- Graph****** used an excessively long user-agent string (50,000 characters) to bypass logging, also likely due to SQL column overflow.
- Both bypasses were fixed by Microsoft, but GraphGoblin was initially dismissed as 'Moderate' severity despite its critical impact.
- KQL queries can detect bypassed sessions by comparing Graph Activity logs with Sign-In logs for missing Session IDs.
- Microsoft's inconsistent handling of these vulnerabilities—ranging from bounties to no acknowledgment—raises concerns about their security review processes.