Mac PRT Cookie Theft & Entra ID Persistence

Name: Mac PRT Cookie Theft & Entra ID Persistence
Description: This DEF CON 33 talk—titled in full "Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery"—presents a novel attack chain against Microsoft Entra ID (formerly Azure Act

Shang-De Jiang, Dong-Yi Ye, Tung-lin Lee

DEF CON 33 · Day 2 · Main Stage

This DEF CON 33 talk—titled in full "Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery"—presents a novel attack chain against Microsoft Entra ID (formerly Azure Act

AI review

DEVCORE researchers discovered that the macOS Entra ID implementation exposes the Session Key in a way that enables full device forgery — persistent Entra ID access that survives password resets, device wipes, and MDM re-enrollment — because macOS lacks the Windows TPM-backed key protection model.

Watch on YouTube