Cybersecurity Dive reports that Microsoft is implementing a significant security hardening measure for its Entra ID cloud identity platform, aiming to block a common vector for account hijacking by restricting scripts during the login process.Starting in October, only scripts originating from trusted Microsoft domains will be permitted to execute when users sign in, a move designed to shield against cross-site scripting attacks where malicious code is injected into websites. According to Entra ID product manager Ankur Patel, this is "a proactive measure that further shields your users against current security risks."The change, enforced via a modification to the browser's Content Security Policy header, is part of the broader Secure Future Initiative launched after high-profile nation-state breaches revealed systemic security flaws. Microsoft acknowledged that XSS remains a stubborn threat, noting it mitigated nearly 1,000 such vulnerabilities in its own services in a recent 18-month period.The company is urging organizations to test their sign-in integrations to ensure compatibility, emphasizing that despite modern defenses, XSS attacks persist due to widespread underlying vulnerabilities even in new applications.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds





