CyberSecurityBoard
Sponsor Register Login

Microsoft Identity Web Package Vulnerability Exposes Client Secrets

Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications,” states the advisory. While the impact depends on how securely service logs are handled, organizations with inadequate log protection practices could face significant security risks if malicious actors obtain these credentials. The advisory notes that “Service logs are intended to be handled securely,” emphasizing that organizations with proper log security measures may not be impacted. Organizations using affected versions of Microsoft Identity Web are strongly encouraged to implement the necessary updates or workarounds to protect their authentication credentials from potential exposure. The vulnerability affects Microsoft.Identity.Web, a widely used NuGet package that simplifies Azure Active Directory authentication for .NET applications. Security experts recommend using certificates from KeyVault or a certificate store, or implementing Federation identity credentials with Managed Identity as more secure alternatives. Under specific conditions, it could potentially expose sensitive client secrets and certificate information in service logs. Invalid or Expired Certificates: Logs of services using invalid or expired Base64 encoded certificates or certificate paths with password credential descriptions. “This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Credential Descriptions: Logs containing local file paths with passwords, Base64 encoded values, or client secrets. However, the widespread use of Microsoft Identity Web across enterprise applications makes this vulnerability particularly concerning. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Marcel Michau was credited with the discovery, and Jean-Marc Prieur and Jenny Ferris from the Microsoft Identity team handled remediation development.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Apr 2025 10:30:13 +0000


Cyber News related to Microsoft Identity Web Package Vulnerability Exposes Client Secrets

You Don't Know Where Your Secrets Are - Do you know where your secrets are? If not, I can tell you: you are not alone. Hundreds of CISOs, CSOs, and security leaders, whether from small or large companies, don't know either. No matter the organization's size, the certifications, tools, ...
2 years ago Thehackernews.com
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
1 year ago Securityboulevard.com
Taking the complexity out of identity solutions for hybrid environments: Identity Fabric and orchestration - For the past two decades, businesses have been making significant investments to consolidate their identity and access management platforms and directories to manage user identities in one place. Instead, businesses must learn how to consistently and ...
1 year ago Securityintelligence.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
1 year ago Microsoft.com
How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions - In particular, there is an immediate and profound impact on the identity and access management postures of both companies. While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and ...
1 year ago Microsoft.com
Identity as a Service - Let us introduce Identity as a Service, a revolutionary identity management strategy that aims to improve security, simplify user interfaces, and enable frictionless access to online resources. Organizations can use IDaaS platforms to access identity ...
1 year ago Feeds.dzone.com
What is Azure Identity Protection and 7 Steps to a Seamless Setup - As a result, tools such as Microsoft's Azure Identity Protection have become a staple in protecting against compromised identities, account takeover, and misuse of privileges. Azure Identity Protection is a security service that provides a robust ...
10 months ago Securityboulevard.com
Over 12 million auth secrets and keys leaked on GitHub in 2023 - GitHub users accidentally exposed 12.8 million authentication and sensitive secrets in over 3 million public repositories during 2023, with the vast majority remaining valid after five days. The exposed secrets include account passwords, API keys, ...
1 year ago Bleepingcomputer.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
1 year ago Hackread.com
The Secret Weakness Execs Are Overlooking: Non-Human Identities - By shifting our focus to secrets security and adopting a comprehensive approach that includes robust detection, automated remediation, and integration with identity systems, organizations can significantly reduce their attack surface and bolster ...
6 months ago Thehackernews.com
Microsoft Identity Web Package Vulnerability Exposes Client Secrets - Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications,” states the advisory. While the impact depends on how securely service logs are handled, ...
1 week ago Cybersecuritynews.com
Unseen Threats: Identity Blind Spots and Misconfigurations in Cybersecurity - It's rather obvious to most in the IT sector that cybercriminals consistently and successfully exploit stolen or weak online identities to gain unauthorized access to businesses of all types. It's these identities in an enterprise that are clearly ...
1 year ago Cybersecurity-insiders.com
31 Alarming Identity Theft Statistics for 2024 - Identity theft is a prevalent issue that affects millions of people annually. Although the numbers are startling, we've selected the 31 most concerning identity theft statistics to help you understand how to secure your identity. In 2022, the FTC ...
1 year ago Pandasecurity.com
What is identity management? Definition from SearchSecurity - Identity management is the organizational process for ensuring individuals have the appropriate access to technology resources. Identity management is an essential component of security. Identity management includes authenticating users and ...
1 year ago Techtarget.com
SailPoint unveils two sets of new offerings to help companies grow their identity security program - SailPoint unveiled two sets of new offerings designed to give customers options as they build their identity program, while driving customer success throughout their identity journey. First, the company is extending the family of SailPoint Identity ...
1 year ago Helpnetsecurity.com
Honeytokens for Peace Of Mind - If you have been tackling the realities of secrets sprawl, getting a handle on all the hardcoded credentials in your organization, then we understand the stress and the restless nights that can bring. Even a small team can add hundreds of secrets a ...
1 year ago Feeds.dzone.com
GitGuardian Report: 70% of Leaked Secrets Remain Active for Two Years, Urging Immediate Remediation - GitGuardian, the security leader behind GitHub’s most installed application, today released its comprehensive “2025 State of Secrets Sprawl Report,” revealing a widespread and persistent security crisis that threatens organizations ...
1 month ago Cybersecuritynews.com
The Role of Identity Data Management in Achieving CISA'S Strategic Goals - At the heart of this growing risk is identity, with over 60% of all breaches today involving identity exploitation. As organizations continue to expand their digital footprints, driven by a move towards cloud resources and remote systems, their ...
1 year ago Cyberdefensemagazine.com
Reducing credential complexity with identity federation - Help Net Security - Organizations also need to ensure compatibility between different platforms and protocols, and effectively merge user identities across multiple IdPs to avoid security gaps or identity conflicts. From a security perspective, federated authentication ...
6 months ago Helpnetsecurity.com
Privileged Access Management for DevOps - Recently, KuppingerCole released the first edition of its Leadership Compass for Privileged Access Management for DevOps. The KuppingerCole report recognizes the unique and complex challenges that exist in DevOps and other dynamic environments. The ...
2 years ago Beyondtrust.com Patchwork
The 11 Best Identity and Access Management Tools - Demand for Identity and Access Management tools is booming. Today, there are dozens of Identity and Access Management tools on the market. Identity and Access Management solutions share many things in common with other cybersecurity technologies. ...
1 year ago Heimdalsecurity.com
1Kosmos Unifies Identity Verification User Journeys Across Web and Mobile Platforms - PRESS RELEASE. EAST BRUNSWICK, N.J., Nov. 29, 2023 - 1Kosmos, the company that unifies identity proofing and passwordless authentication, today announced the 1Kosmos BlockID platform now enables organizations to seamlessly extend web-based identity ...
1 year ago Darkreading.com
New Microsoft Incident Response guides help security teams analyze suspicious activity - Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for ...
1 year ago Microsoft.com
​​Strengthening identity protection in the face of highly sophisticated attacks​​ - We continuously work to improve the built-in security of our products and platforms. It's a multi-year commitment to advance the way we design, build, test, and operate our technology to ensure we deliver solutions that meet the highest possible ...
1 year ago Techcommunity.microsoft.com
Unmasking Identity Theft: Detection and Mitigation Strategies - In an increasingly digital world, the threat of identity theft looms large, making it imperative for individuals to be proactive in detecting potential breaches and implementing effective mitigation measures. This article delves into key strategies ...
1 year ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)