Cloud Token Theft
What is Cloud Token Theft?
Cloud Token TheftStealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
Cloud token theft targets the short-lived bearer tokens, refresh tokens, and signing keys that modern cloud identity systems issue. Attackers steal them from compromised endpoints, browser cookies, mailbox sync logs, CI/CD variables, or by abusing OAuth consent grants. The Microsoft Storm-0558 incident in 2023, where a stolen Microsoft Account consumer signing key was used to forge access tokens for Exchange Online and reach government mailboxes, illustrates the catastrophic blast radius when a signing key leaks. Defences include hardware-protected key storage (HSM), conditional access with device posture, token binding and continuous access evaluation, anomaly detection on token issuance, and aggressive rotation of signing material.
● Examples
- 01
Storm-0558 forging Azure AD access tokens with a stolen MSA consumer signing key (2023).
- 02
Pass-the-cookie: stealing browser session cookies for Microsoft 365 to bypass MFA.
● Frequently asked questions
What is Cloud Token Theft?
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords. It belongs to the Cloud Security category of cybersecurity.
What does Cloud Token Theft mean?
Stealing OAuth, SAML, or signing tokens from a cloud identity service and replaying them to impersonate users or services without needing passwords.
How does Cloud Token Theft work?
Cloud token theft targets the short-lived bearer tokens, refresh tokens, and signing keys that modern cloud identity systems issue. Attackers steal them from compromised endpoints, browser cookies, mailbox sync logs, CI/CD variables, or by abusing OAuth consent grants. The Microsoft Storm-0558 incident in 2023, where a stolen Microsoft Account consumer signing key was used to forge access tokens for Exchange Online and reach government mailboxes, illustrates the catastrophic blast radius when a signing key leaks. Defences include hardware-protected key storage (HSM), conditional access with device posture, token binding and continuous access evaluation, anomaly detection on token issuance, and aggressive rotation of signing material.
How do you defend against Cloud Token Theft?
Defences for Cloud Token Theft typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cloud Token Theft?
Common alternative names include: Token replay, OAuth token theft.
● Related terms
- cloud-security№ 186
Cloud Key Leak
Accidental exposure of long-lived cloud access keys in public repositories, container images, logs, or client-side code, often abused within minutes.
- cloud-security№ 079
AWS IMDSv1 Attack
Theft of EC2 instance role credentials by sending unauthenticated GET requests to the legacy IMDSv1 endpoint, typically via SSRF.
- cloud-security№ 505
IAM Privilege Escalation
Abusing existing cloud IAM permissions to gain higher privileges, often via policy editing, role passing, or self-granting administrative rights.
- cloud-security№ 187
Cloud Metadata SSRF
A server-side request forgery attack that abuses a vulnerable application to query a cloud provider's instance metadata service and steal temporary credentials.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.