Security flaw in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) can be exploited to achieve full account takeover, the researchers said.
California-based identity and access management service Descope, which discovered and reported the issue in April 2023, named it There isn’t any.
“nOAuth is an authentication implementation weakness that could affect Microsoft Azure AD multi-tenant OAuth applications,” Omer Cohen, chief security officer at Descope, said.
The misconfiguration relates to how a bad actor was able to change the email attribute under “Contact Information” in an Azure AD account and exploit the “Sign in with Microsoft” feature to hijack a victim’s account.
To carry out an attack, all an adversary has to do is create and access an Azure AD admin account and change their email address to that of the victim and leverage single sign-on schemes on vulnerable apps or websites.
“If the application merges user accounts without validation, the attacker now has complete control over the victim’s account, even if the victim does not have a Microsoft account,” Cohen explained.
A successful exploit gives the adversary an “open field” to set up persistence, extract data, and perform other post-exploit activities based on the nature of the application.
This stems from the fact that email addresses can change and are not verified in Azure AD, prompting Microsoft to issue a warning not to use email claims for authorization purposes.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The tech giant characterizes the issue as “an insecure anti-pattern used in Azure AD (AAD) applications” where use of email claims of access tokens for authorization can lead to privilege escalation.
“An attacker can forge email claims in the token issued to the application,” it says noted. “Additionally, the threat of data leakage exists if the application uses the claim for email search.”
It also says it identified and notified multiple multi-tenant apps with users using email addresses with unverified domain owners.