Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery
No ratings
Presented at DEF CON 33 by
While the theft of Primary Refresh Token (PRT) cookies on Windows has been extensively studied, similar attacks on macOS remain unexplored. As organizations increasingly use Microsoft Intune to manage both Windows and macOS devices, a critical question arises: can attackers also extract PRT cookies from macOS? In this talk, we present our research into Microsoft’s SSO implementation within the Intune Company Portal for macOS. We compare authentication flows and security controls between Windows and macOS, exposing weaknesses that allow attackers to bypass process validation and obtain authentication tokens under certain conditions. Another obstacle for attackers has been Microsoft’s efforts to make it more difficult to register new devices using stolen credentials for persistence. Our research introduces a novel technique: once an attacker acquires a token with an MFA claim on the device, they can still register new devices and generate new tokens without concern for the original stolen token’s expiration. We will demonstrate PRT Cookie extraction on macOS and release a proof-of-concept tool, showing not only how credential theft techniques can now extend beyond Windows to macOS environments, but also how attackers can leverage these techniques for long-term persistence. References: Shang-De Jiang is a deputy director of the research team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan. Kazma is a university student from Taiwan and cybersecurity intern of CyCraft. His current work focuses on how Microsoft Entra ID integrates and behaves on macOS, diving deep into binary internals and real-world authentication logic. He’s also a CTF player with the B33F 50UP team, with a passion for reverse engineering and binary exploitation.