Make the world a safer place Menu

Talk

Breaking Down macOS Intune SSO: PRT Token Theft and Platform Comparison

While Entra ID Single Sign-On (SSO) on Windows has been extensively studied leading to techniques such as ROADtoken and BAADTokenBroker, but the macOS implementation has unexplored. In this talk, we present new findings on how Microsoft implements SSO within the Intune Company Portal for macOS, and demonstrate how we successfully bypassed its signature validation logic to extract Primary Refresh Tokens (PRTs) under user-level permissions.

We begin by comparing the SSO authentication flows and security checks on both Windows and macOS, highlighting the stricter verification mechanisms(e.g. signature check, process check…). Through our research, we discovered certain authentication validation weaknesses in the implementation that could allow attackers to bypass process checks and obtain authentication tokens under specific conditions.

This talk includes a live demo of PRT extraction on a latest macOS system. We conclude with practical defense recommendations for enterprises deploying Entra ID on macOS.

This presentation provides an in-depth analysis of Entra ID’s Single Sign-On (SSO) implementation on macOS, focusing on both architectural design and practical attack vectors. By dissecting the SSO trust chain and examining how each component validates the identity of calling processes, we reveal how Primary Refresh Tokens (PRTs) can be extracted from Company Portal on macOS, all under standard user permissions.

Main topics to be covered:

  1. SSO request and authentication flows on Windows as a baseline comparison
  2. Breakdown of the Company Portal SSO implementation and flows on macOS
  3. Detailed analysis of Company Portal SSO components:
    • BrowserCore implementation specific to macOS
    • AppSSOAgent - macOS built-in framework for vendor SSO implementation
    • Mac SSO Extension - Microsoft’s authentication module for macOS
    • Security checks and verification mechanisms
  4. Demo abuse methods
  5. Defense strategies and security recommendations

Key takeaways for the audience:

  • Understanding of Microsoft’s system integration with macOS
  • Comparison of security strengths and weaknesses between platforms
  • Guidance on implementing defense

Technical prerequisites:

Attendees should have a basic understanding of Entra ID concepts. While familiarity with macOS reverse engineering will be helpful, we will provide necessary background information to help Windows-focused professionals understand the content. The presentation will include detailed explanations of key concepts to ensure accessibility for all audience.

About the Speakers