Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well, your "legacy non production test tenant" can be opened by just guessing passwords, and it allows access to "very much in use production non-test" tenants, then you could say MS has a vulnerability. It may not be a buffer overflow, but it is a vulnerability nonetheless.


Yes, and I think most people would consider it a vulnerability if an authentication system doesn't rate-limit or otherwise slow/stop "password spray" attacks.


You can rate limit individual users but password spray attacks use a large number of accounts to remain undetected in a authentication system used by an even more users.


{rolls eyes}

This is precisely the kind of 1990's level basic heuristic that this company cites as part of their Sentinel security system.

Trying to excuse a breach by 'the attacker tried a few passwords against lots of different accounts' is not compelling.


We are getting 10000x times the number of wrong passwords than average, I'm sure it's nothing to worry about.


It was a legacy test system connected to a production system so it doesn't count. Obviously. /s




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: