Skip to content

DUNA. Prevent phish attack in “switch_browser” flow. , Fixes AB#3250169 #2631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 30, 2025
Merged

DUNA. Prevent phish attack in “switch_browser” flow. , Fixes AB#3250169 #2631

merged 6 commits into from
Apr 30, 2025

Conversation

@p3dr0rv
Copy link
Contributor

@p3dr0rv p3dr0rv commented Apr 28, 2025
edited by azure-boards bot
Loading

DOC: https://microsoft-my.sharepoint-df.com/:w:/r/personal/sedemche_microsoft_com/_layouts/15/Doc.aspx?sourcedoc=%7B29055A71-DD9A-4E95-9E2D-6DBFB77F7823%7D&file=DUNA-switch_browser-phish%20attack.docx&action=default&mobileredirect=true&share=IQFxWgUpmt2VTp4tbb-3f3gjAb1Z62agYgf-0Tl4zsGqDBE

The document highlights a security vulnerability where malicious applications can exploit the "switch_browser" and "switch_browser_resume" endpoints, leading to phishing attacks through mimicked UI pages. The proposed mitigations include adding a state parameter to prevent such attacks, ensuring that both actions occur within a valid authentication flow.

This state parameter allows the client application to validate the actions, by comparing the state in the in the authorization request against the state in the response (broker redirect).
image

AB#3250169

@p3dr0rv p3dr0rv requested a review from a team as a code owner April 28, 2025 20:07
@github-actions
Copy link

github-actions bot commented Apr 28, 2025

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

@github-actions
Copy link

github-actions bot commented Apr 28, 2025

✅ Work item link check complete. Description contains link AB#3250169 to an Azure Boards work item.

@github-actions github-actions bot changed the title DUNA. Prevent phish attack in “switch_browser” flow. DUNA. Prevent phish attack in “switch_browser” flow. , Fixes AB#3250169 Apr 28, 2025
@p3dr0rv p3dr0rv requested a review from a team as a code owner April 28, 2025 20:18
@p3dr0rv p3dr0rv added the Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR label Apr 28, 2025
shahzaibj
shahzaibj reviewed Apr 28, 2025
View reviewed changes
Copy link
Contributor

@shahzaibj shahzaibj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to put this change behind a separate flight? I'm thinking just in case client changes for state go to prod before server changes then it would be good to have the ability to turn off just this flight and test the rest of the switch browser protocol.

Not necessary to put the whole change behind a flight but just the parts of code that validate the state and/or take a hard dependency on state param being present. Essentially turning off the flight should allow the flow to work (no exception thrown) even if state param is not returned by server. So client code can essentially proceed with assuming an empty string state param.

@p3dr0rv p3dr0rv merged commit cbda9cd into dev Apr 30, 2025
22 of 25 checks passed
@p3dr0rv p3dr0rv deleted the pedroro/duna-state branch April 30, 2025 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shahzaibj shahzaibj shahzaibj approved these changes

@somalaya somalaya somalaya approved these changes

Assignees

No one assigned

Labels

Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@p3dr0rv @shahzaibj @somalaya