How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?
A compromised key that can sign authentication tokens seems like a pretty big deal.
How can you forge a token? Did they use quantum machinery to retrieve a JWT Private Key? Did they factor RSA keys?
But no, they used a bug/weakness to exchange a token.
How does that work? Is the key part of some kind of complex auth flow where it's only allowed to sign tokens that have Exchange access?
A compromised key that can sign authentication tokens seems like a pretty big deal.