Critical ‘nOAuth’ Flaw in Microsoft Azure AD Enabled Complete Account Takeover

June 21, 2023Ravi LakshmananAuthentication/vulnerability

Microsoft Azure AD OAuth

Researchers said a security flaw in the Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process may have been exploited to achieve full account takeover.

California-based identity and access management service Descope, which discovered and reported the issue in April 2023, named it the issue. no authentication.

“nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications,” said Omer Cohen, chief security officer at Descope.

This misconfiguration has to do with how a malicious attacker could change the email attribute in the “Contact Information” of an Azure AD account and abuse the “Login with Microsoft” feature to take over a victim’s account. increase.

cyber security

All that is required for a successful attack is to create and access an Azure AD administrator account, change the email address to that of the victim, and utilize a single sign-on scheme on the vulnerable app or website. .

“If the app merged user accounts without verification, the attacker would have complete control over the victim’s account, even if the victim doesn’t have a Microsoft account,” Cohen explained. .

A successful exploit gives the adversary an “open field” to set persistence, exfiltrate data, or perform other post-exploitation activities based on the nature of the app.

This is due to the fact that email addresses are mutable and unverified in Azure AD, and Microsoft warns against using email claims for authentication purposes.

upcoming webinars

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!

join the session

The technology giant characterized the issue as an “unsafe anti-pattern used in Azure AD (AAD) applications,” stating that the use of email claims from access tokens for authorization can lead to privilege escalation. There is a nature.

“Attackers could tamper with email claims for tokens issued to applications,” the report noted. “Furthermore, the threat of data leakage exists if an application uses such claims for email searches.”

It also said it identified and notified multiple multi-tenant applications with users using unverified domain owner email addresses.

Did you enjoy this article? Follow us twitter You can read more exclusive content we post on LinkedIn.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *