Microsoft has recently addressed a critical security flaw in Azure Active Directory (Azure AD) authentication, identified by the Descope security team as nOAuth. This misconfiguration could potentially allow threat actors to escalate privileges and gain full control over a target’s account. Specifically, the vulnerability lies in Azure AD OAuth applications configured to use the email claim from access tokens for authorization.
Attackers could exploit this flaw by changing the email on their Azure AD admin account to the victim’s email address and using the “Log in with Microsoft” feature for authorization on the vulnerable app or website. This could result in complete account takeover, even if the victim does not have a Microsoft account. Descope discovered multiple large organizations vulnerable to this attack, including a design app with millions of monthly users, a publicly traded customer experience firm, and one from a leading multi-cloud consulting provider. The attacker gains full control after a successful login, allowing them to establish persistence, exfiltrate data, and explore other malicious activities.
Microsoft has since addressed the nOAuth configuration through mitigations issued, following Descope’s initial report on April 11, 2023. The company identified several multi-tenant applications using an email address with an unverified domain owner and deployed mitigations to omit token claims from unverified domain owners for most applications. Microsoft strongly advises developers to assess their apps’ authorization business logic thoroughly and adhere to guidelines to prevent unauthorized access.
Reference:
