Microsoft has patched an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to elevate privileges and potentially take full control of the target’s account.
This bad configuration (named nOAuth by the Descope security team who discovered it) could be misused in account and privilege escalation attacks against Azure AD OAuth applications configured to use email request for tokens. access for authorization.
An attacker only had to replace their Azure AD administrator account email address with the victim’s email address and use the “Sign in with Microsoft” feature to obtain authorization on the application or the vulnerable website.
This allows them to take full control of the target’s account if the targeted resources allow the use of email addresses as unique identifiers during the authorization process.
This tactic can also be used when the victim doesn’t even have a Microsoft account, and it was a feasible attack method because Azure AD didn’t require email changes to be validated.
“If the application merges user accounts without validation, the attacker now has full control over the victim’s account, even if the victim does not have a Microsoft account”, Descope said.
“After a successful login, the attacker has an open field depending on the nature of the application or site he has taken over. He can establish persistence, exfiltrate data, explore whether a lateral movement is possible, etc.”
Among several large organizations vulnerable to this type of attack, Descope discovered a design application with millions of monthly users, a publicly traded customer experience company, and one owned by a major multi-cloud consulting provider.
Descope also shared a video (embedded below) detailing how exploiting this AAD authentication misconfiguration can lead to full account takeover and information about it can be avoided.
Microsoft has fixed the nOAuth configuration via mitigations released today, following an initial report sent by Descope on April 11, 2023.
“Microsoft has identified multiple multi-tenant apps with users using an email address with an unverified domain owner,” Redmond said.
“If you did not receive a notification, your app has not consumed email complaints with unverified domain owners.
“To protect customers and applications that may be vulnerable to elevation of privilege, Microsoft has deployed mitigations to omit token requests from unverified domain owners for most applications.”
The company also strongly advised developers to carefully evaluate their apps’ permission business logic and adhere to these guidelines to protect against unauthorized access.
Additionally, developers are encouraged to adopt these recommended best practices for token validation when using the Microsoft identity platform.