all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

ROPC - So, you think you have MFA?

Add to bookmarks
e
Oct. 20, 2022, 3 p.m. |

Embrace The Red embracethered.com

This post will highlight a pattern I have seen across multiple production Microsoft Azure Active Directory tenants which led to MFA bypasses using ROPC.
The key take-away: Always enforce MFA! Sounds easy, but there are often misconfigurations and unexpected exceptions. So, test your own AAD tenant for ROPC based MFA bypass opportunities.
Github: https://github.com/wunderwuzzi23/ropci
What is ROPC? Resource Owner Password Credentials (ROPC) is an OAuth2 authorization grant type (“flow”) defined in RFC 6749.

mfa

Visit resource

More from embracethered.com / Embrace The Red

Em
Automatic Tool Invocation when Browsing with ChatGPT - Threats and Mitigations 4 days ago | embracethered.com
apps automatic browsing can +12
Em
ChatGPT: Hacking Memories with Prompt Injection 1 week, 3 days ago | embracethered.com
agent ai assistant assistant attacker +18
Em
Machine Learning Attack Series: Backdooring Keras Models and How to Detect It 2 weeks ago | embracethered.com
adversaries arbitrary code arbitrary code execution artificial +18
Em
Pivot to the Clouds: Cookie Theft in 2024 2 weeks, 2 days ago | embracethered.com
blog browser clouds cookie +20
Em
Bobby Tables but with LLM Apps - Google NotebookML Data Exfiltration 1 month, 2 weeks ago | embracethered.com
apps can chat control +19
Em
HackSpaceCon 2024: Short Trip Report, Slides and Rocket Launch 1 month, 2 weeks ago | embracethered.com
center class conference dave +14
Em
Google AI Studio Data Exfiltration via Prompt Injection - Possible Regression and Fix 1 month, 3 weeks ago | embracethered.com
data data exfiltration discipline easier +14
Em
The dangers of AI agents unfurling hyperlinks and what to do about it 1 month, 4 weeks ago | embracethered.com
agents ai agents ai chatbots attackers +11
Em
ASCII Smuggler - Improvements 2 months, 4 weeks ago | embracethered.com
ascii decode decoding end +11

Jobs in InfoSec / Cybersecurity

Post a Job Search Talent

CyberSOC Technical Lead

@ Integrity360 | Sandyford, Dublin, Ireland
View on infosec-jobs.com

Cyber Security Strategy Consultant

@ Capco | New York City
View on infosec-jobs.com

Cyber Security Senior Consultant

@ Capco | Chicago, IL
View on infosec-jobs.com

Sr. Product Manager

@ MixMode | Remote, US
View on infosec-jobs.com

Corporate Intern - Information Security (Year Round)

@ Associated Bank | US WI Remote
View on infosec-jobs.com

Senior Offensive Security Engineer

@ CoStar Group | US-DC Washington, DC
View on infosec-jobs.com