Yet another reason why Token Exchange is dangerous 馃く馃槺 "Bing is allowed to issue Office tokens for any logged-on user"
Replying to @hillai
When inspecting Bing requests, I noticed an endpoint being used for Office 365 communications. As it turns out, Bing is allowed to issue Office tokens for any logged-on user. I quickly crafted an XSS payload utilizing this functionality, tested it on myself, and it worked!

Mar 30, 2023 路 12:54 AM UTC

2
1
11
Replying to @aaronpk
How will you implement the token exchange safely?Bing being able to create JWT tokens for MS Office makes sense from product standpoint. One way would be to vend scoped down tokens (for MS office) to Bing. Are there any other alternatives?
1
Replying to @aaronpk
Something something breaking cross domain cookies and composability of the web...