boB Rudis πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦

O_O Synology's middleware service was inadvertently exposing a master credential during every setup process, and this credential belonged to Synology's global app registration, giving attackers broad read-only access to organizational data including Teams messages, group information, and Microsoft 365 content.

https://modzero.com/en/blog/when-backups-open-backdoors-synology-active-backup-m365/

When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365"

Jun 28 at 9:37amWeb
Show threadIan CampbellJun 28
@hrbrmstr oopsy daisy
Show threadAndrew GoldingJun 28
@hrbrmstr looks like the same request is leaking a refresh token as well but I did not see a mention of that.
Show threadboB Rudis πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦Jun 28
@huronbikes i will never, every grok why vendors do not do more than the absolute bare minimum to address reported weaknesses. Synology rly shld have caught that.
Show threadfuzzyfuzzyfungusJun 28

@hrbrmstr @huronbikes Maybe I'm being uncharitable; but this has the flavor of a fairly profound misunderstanding or disinterest in permissions of the sort that leaves me wondering if the vendor even knows that their response is bare-minimum.

Why would you even need a "Synology HQ gets read.all" global app for a situation where a service running on a customer NAS needs a service principle in a customer tenant; even if you were good about not leaking the credentials for the global app?

Show threadlnxgeekJun 29
@hrbrmstr Auch!!
A topic worth digging into indeed.
Show threadJordanJun 29
@hrbrmstr Opps πŸ™ƒ
Show threadSraarsJun 29
@hrbrmstr Whoops?