Explore a comprehensive security conference talk detailing a complete exploit chain discovered in Azure B2C, from initial cryptographic vulnerability identification to achieving full account compromise across any tenant without authentication. Learn about the technical process of reverse engineering the cryptographic vulnerability and implementing a novel attack method for crypto key recovery. Understand the significant implications of this security flaw, which affected Microsoft's Azure B2C identity and access management service used by thousands of organizations, including government entities, professional societies, and commercial enterprises. Discover how this vulnerability impacted Microsoft's own Security Response Center (MSRC) portal, potentially exposing sensitive information about undisclosed zero-day vulnerabilities submitted through Microsoft's bug bounty programs.
Overview
Syllabus
DEF CON 31 - Azure B2C 0Day - An Exploit Chain from Public Keys to Microsoft Bug Bounty - John Novak
Taught by
DEFCONConference