Aaron Parecki · Mar 30, 2023 · 12:54 AM UTC

Aaron Parecki · Mar 30, 2023 · 12:54 AM UTC

Aaron Parecki

Aaron Parecki @aaronpk

Mar 30

Yet another reason why Token Exchange is dangerous 🤯😱 "Bing is allowed to issue Office tokens for any logged-on user"

Hillai Ben-Sasson @hillai

Mar 29

Replying to @hillai

When inspecting Bing requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bing is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSS payload utilizing this functionality, tested it on myself, and it worked!

Mar 30, 2023 · 12:54 AM UTC

Pushkar Jaltare · Mar 31, 2023 · 12:49 AM UTC

Pushkar Jaltare @Pushkar2911

Mar 31

Replying to @aaronpk

How will you implement the token exchange safely?Bing being able to create JWT tokens for MS Office makes sense from product standpoint. One way would be to vend scoped down tokens (for MS office) to Bing. Are there any other alternatives?

Hirsch Singhal · Mar 30, 2023 · 1:04 AM UTC

Hirsch Singhal @hpsin_

Mar 30

Replying to @aaronpk

Something something breaking cross domain cookies and composability of the web...