Home

AAD Token ESTSAUTH Cookie Export Import

%3CLINGO-SUB%20id%3D%22lingo-sub-759428%22%20slang%3D%22en-US%22%3EAAD%20Token%20ESTSAUTH%20Cookie%20Export%20Import%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759428%22%20slang%3D%22en-US%22%3E%3CP%3EAssuming%20this%20is%20known%20already%20one%20can%20easily%20export%20the%20ESTSAUTH%20cookie%20from%20the%20browser%20once%20authenticated%20with%20AAD%20%2F%20Office%20365%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20then%20import%20the%20same%20on%20another%20device%20and%20can%20easily%20access%20the%20services%2Fapps%20with%20respect%20to%20token%20and%20license%20applied%20on%20the%20user%2C%20i%20guess%20with%20respect%20to%20AAD%2FO365%20idea%20is%20to%20allow%20access%20from%20anywhere-anydevice%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehowever%20this%20can%20be%20big%20security%20loophole%20where%20org%20has%20deployed%20Federated%20Authentication%20using%20ADFS%2FPing%20etc...%20as%20this%20process%20bypasses%20all%20those%20checks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20is%20known%20what%20is%20the%20recommendation%20to%20mitigate%20or%20Fix%20this%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-759428%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAAD%20Token%20ESTSAUTH%20Cookie%20Export%20Import%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777494%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Token%20ESTSAUTH%20Cookie%20Export%20Import%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777494%22%20slang%3D%22en-US%22%3E%3CP%3EStrange%20this%20is%20not%20catching%20anyone's%20attention%2C%3C%2FP%3E%3CP%3EPlease%20all%20experts%20look%20into%20this%20and%20advise%2C%3C%2FP%3E%3CP%3EBy%20simply%20exporting%20and%20importing%20the%20mentioned%20cookies%20here%20user%20is%20able%20to%20bypass%20all%20machine%20level%20checks%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3EAccess%20from%20UnManaged%20Device%20%3F%3C%2FP%3E%3CP%3EHow%20to%20prevent%20this%20please%20suggest%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBR%2C%3C%2FP%3E%3CP%3E%2FHS%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-856748%22%20slang%3D%22en-US%22%3ERe%3A%20AAD%20Token%20ESTSAUTH%20Cookie%20Export%20Import%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-856748%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20is%20aware%20of%20this%20and%20is%20working%20on%20introducing%20new%20session%20control%20feature%20as%20part%20of%20conditional%20access%20with%20Azure%20AD%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Assuming this is known already one can easily export the ESTSAUTH cookie from the browser once authenticated with AAD / Office 365,

 

and then import the same on another device and can easily access the services/apps with respect to token and license applied on the user, i guess with respect to AAD/O365 idea is to allow access from anywhere-anydevice

 

however this can be big security loophole where org has deployed Federated Authentication using ADFS/Ping etc... as this process bypasses all those checks

 

If this is known what is the recommendation to mitigate or Fix this ?

2 Replies

Strange this is not catching anyone's attention,

Please all experts look into this and advise,

By simply exporting and importing the mentioned cookies here user is able to bypass all machine level checks ? 

Access from UnManaged Device ?

How to prevent this please suggest

 

BR,

/HS

 

Microsoft is aware of this and is working on introducing new session control feature as part of conditional access with Azure AD

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies