Microsoft is making its cloud platform’s login system harder to hack. Starting next October, it will block scripts from running during the login process unless they come from “trusted Microsoft domains.” This change helps protect users from security risks like cross-site scripting (XSS), where attackers can insert malicious code into websites.
The update comes as part of Microsoft’s Secure Future Initiative, which was announced after a series of cyberattacks exposed weaknesses in its security. The company will enforce the script restrictions by changing a browser security header.
However, this change won’t affect Entra External ID, which handles authentication for apps other than web browsers. Microsoft encourages organizations to test their sign-in processes before the change to ensure a smooth rollout.
The issue of XSS attacks has been around for decades, but they remain a powerful tool for hackers due to widespread vulnerabilities in modern applications. Despite advancements in browser security and content security policies, XSS remains a persistent threat, with real-world consequences.
Source: https://www.cybersecuritydive.com/news/microsoft-change-cloud-login-entra-id-xss/806556