token security

InfluxDB OSS contains a business‑logic weakness — tracked as CVE‑2024‑30896 — that allowed an authorized user with an allAccess token in the same organization to enumerate and retrieve the administrative operator token, effectively enabling full administrative takeover of affected InfluxDB OSS...

The U.S. cybersecurity community has been handed a timely, focused draft to review: the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) jointly released an initial public draft of Interagency Report (IR) 8597, titled...

Tokens are the skeleton keys of modern digital systems — small opaque strings that grant access, carry identity claims, and enable automation — and they are now one of the most attractive targets for attackers across enterprise clouds, endpoints, AI systems, APIs, and decentralized finance...

Token security has moved from a background concern to a front‑line risk for every organization that relies on cloud identity, web APIs, AI services, or decentralized finance—attackers are weaponizing tokens to bypass multi‑factor authentication, impersonate administrators, and drain liquidity...

Oxford Nanopore’s MinKNOW platform has been placed squarely under the security microscope after coordinated disclosures identified multiple high‑risk vulnerabilities that can be triggered over local networks, expose long‑lived authentication tokens, and even produce denial‑of‑service conditions...

When a Dutch researcher glanced at a token stream while preparing a Black Hat talk, he didn’t just find a bug—he found a fault line in the foundations of cloud identity that could have allowed a single click to flip virtually every Microsoft Entra (Azure AD) tenant from secure to owned. The...

Microsoft's latest updates to the Windows 365 family push the Cloud PC experience closer to a full, resilient desktop replacement — but they also raise important questions for IT about licensing, capacity, and user data protection. The company has expanded the Connection Center experience so...

Microsoft’s recent how‑to on issuing custom SSO claims from Entra ID using directory extension attributes gives administrators a practical, low‑friction way to inject organization‑specific data into SAML and OIDC tokens — and to do so only for selected user groups during sign‑in. The documented...

It took Redmond 1 day to kill a threat that allowed users with a Firefox add-on (Tamper Data) to remotely reset the password of a Hotmail account and allowing them to access the outgoing HTTP request, then modify the data. Microsoft was notified April 20, 2012, applied the fix April 21...