Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore a critical security vulnerability in Microsoft Entra ID OAuth implementations through this 30-minute Black Hat conference talk. Dive deep into the complexities of OAuth authentication and authorization, examining how a seemingly simple misconfiguration allowed unauthorized access to over 20 internal Microsoft applications. Learn about the shared responsibility challenges between developers and platform providers when implementing OAuth, discover why the distinction between authentication and authorization remains problematic, and understand how "Open Authorization" standards can be misused for authentication purposes. Examine real-world examples of accessing sensitive data, administering Copilot, building custom Windows versions, and approving bounty payouts through this overlooked vulnerability. Analyze the gap between Microsoft's documented fixes and actual implementation security, while exploring code examples that demonstrate common critical oversights in OAuth implementations. Gain insights into responsible disclosure processes and understand the broader implications of OAuth misconfigurations in enterprise environments.
