I'll do you one better: stealing the signing key was not even necessary.
replyhttps://www.bleepingcomputer.com/news/security/microsoft-ent...
I knew there was another incident that I was forgetting, insanity... I don't understand how Microsoft keeps getting away with this and everyone just forgets.
replyWhen people's income depends on them forgetting... they tend to become amnesiacs.
replybecause time to market is more important than security (at microsoft)
replyOh please, that could happen at any company. Humans screw up.
replyBut it doesn't. Full authentication bypass exploits are extremely rare and unheard of among tech giants. Maybe account takeover/recovery, sure, but full bypass? It just never happens.
replyMicrosoft goes beyond that: they've managed to have a critical vulnerability in almost every authentication product they have ever created. It's exceptional.
> But it doesn't.
replyThat we know of.
> It's exceptional.
I agree, but I look at it as a question of cost. would it make sense for Russia to spend on resources to compromise GCP or AWS? Microsoft's EntraID/AzureAD itself is an exceptional product in that organization's dependency on it, especially US government orgs, is exceptional.
If APTs target AWS, they will compromise it, period. Of course the caveat is time, skill and money which can all be acquired at cost.