Identity, Cloud Security

Entra ID tightens security against XSS attacks

Warsaw, Poland - August 24, 2024: Microsoft logo on company head

Cybersecurity Dive reports that Microsoft is implementing a significant security hardening measure for its Entra ID cloud identity platform, aiming to block a common vector for account hijacking by restricting scripts during the login process.

Starting in October, only scripts originating from trusted Microsoft domains will be permitted to execute when users sign in, a move designed to shield against cross-site scripting attacks where malicious code is injected into websites. According to Entra ID product manager Ankur Patel, this is "a proactive measure that further shields your users against current security risks."

The change, enforced via a modification to the browser's Content Security Policy header, is part of the broader Secure Future Initiative launched after high-profile nation-state breaches revealed systemic security flaws. Microsoft acknowledged that XSS remains a stubborn threat, noting it mitigated nearly 1,000 such vulnerabilities in its own services in a recent 18-month period.

The company is urging organizations to test their sign-in integrations to ensure compatibility, emphasizing that despite modern defenses, XSS attacks persist due to widespread underlying vulnerabilities even in new applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds