Account takeover flaw in Azure AD fixed by Microsoft
Microsoft has addressed an authentication flaw in Azure Active Directory (Azure AD) that could allow threat actors to escalate privileges and potentially fully take over the target’s account. The flaw, named nOAuth by the Descope security team, involved a misconfiguration that could be abused in account and privilege escalation attacks against Azure AD OAuth applications.
The attack method relied on the vulnerable applications using the email claim from access tokens for authorization. The attacker would modify the email on their Azure AD admin account to match the victim’s email address. Then, by using the “Log in with Microsoft” feature, they could gain authorization on the targeted app or website.
The impact of this vulnerability was significant. If the targeted resources allowed the use of email addresses as unique identifiers during the authorization process, the attacker could take complete control over the victim’s account. It was even possible to exploit this flaw when the victim did not have a Microsoft account.
This flaw was possible because Azure AD did not require validation for email changes. However, Microsoft has now fixed the issue to prevent further account takeovers and protect users from this form of privilege escalation.
Descope, the security team, has highlighted that if an app merges user accounts without validation, the attacker gains full control over the victim’s account, regardless of whether the victim has a Microsoft account.
After successfully logging in, the attacker has various options depending on the app or site they have taken over. They can establish persistence, exfiltrate data, explore possibilities for lateral movement, and more.
Descope linked several large organizations, including a design app with millions of frequent users, a publicly traded client experience establishment, and a leading multi-cloud consulting provider, that were set up to be vulnerable to this attack.
Descope has also shared a video detailing the exploitation of this Azure Active Directory (AAD) authentication misconfiguration, showcasing how it can result in a complete account takeover. The video also provides information on preventive measures to mitigate this vulnerability.
On April 11, 2023, Descope reported an initial finding to Microsoft regarding the nOAuth configuration. Today, Microsoft has issued mitigations to address the issue.
Redmond confirmed that several multi-tenant applications had users utilizing email addresses with unverified domain owners. However, if developers did not receive a notification, it indicated that their application did not consume email claims with unverified domain owners.
To safeguard customers and applications vulnerable to privilege escalation, Microsoft has implemented mitigations. These mitigations involve excluding token claims from unverified domain owners for most applications.
Microsoft strongly advised developers to conduct a comprehensive assessment of their app’s authorization business logic and adhere to the provided guidelines to prevent unauthorized access.
Furthermore, developers were encouraged to adopt the recommended best practices for token validation when utilizing the Microsoft identity platform.
Disclosure Timestamps
- April 11, 2023 – Descope reported the nOAuth configuration issue to Microsoft, initiating the disclosure process.
- April 12, 2023 – Microsoft promptly opened a ticket in response to the reported issue.
- April 17-21, 2023 – Descope informed the vulnerable associations about the identified vulnerability.
- April 18, 2023 – Microsoft acknowledged the issue and committed to providing guidance to affected customers while actively working on a fix. They also updated their documentation concerning OAuth claims.
- May 2, 2023 – Descope reached out to authentication providers that were merging accounts without proper validation, alerting them to the issue.
- May 4, 2023 – Both authentication providers acknowledged the problem and verified its existence.
- May 6, 2023 – The authentication providers promptly resolved the vulnerability by implementing necessary fixes.
- June 20, 2023 – Microsoft released the fixed version, addressing the nOAuth configuration flaw. Microsoft and Descope jointly carried out a public disclosure to raise awareness about the issue and its resolution.
Don’t forget to check out our latest Blog – Sim Box Fraud