uTalk
Official forum for Utopia Community
You are not logged in.
- Topics: Active | Unanswered
#1 2023-06-21 21:38:25
- thrive
- Member
- Registered: 2023-01-04
- Posts: 2,018
Microsoft Azure AD's Serious 'nOAuth' Bug Enabled Full Acc Takeover
According to researchers, a security flaw in the Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been used to completely take control of an account.
The problem was identified in April 2023 and was given the nOAuth moniker by the California-based identity and access management service Descope.
According to Omer Cohen, chief security officer at Descope, "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.".
The configuration error relates to how a malicious actor can alter email attributes under "Contact Information" in the Azure AD account and use the "Log in with Microsoft" feature to hijack a victim account.
To execute the attack, all the adversary needs to do is create and log into an Azure AD admin account, change their email address to that of the victim, and use a vulnerable app or website's single sign-on feature.
Cohen said that even if the victim doesn't have a Microsoft account, the attacker would still be in complete control of the victim's account if the app combined user accounts without validating the users' identities.
In the event of successful exploitation, the adversary is given an "open field" to implement persistence, exfiltrate data, and engage in other post-exploitation tasks depending on the app.
This is due to the fact that an email address in Azure AD is both mutable and unverified, which led Microsoft to issue a warning about the use of email claims for authorization.
The problem was described by the technology behemoth as an "insecure anti-pattern used in Azure AD (AAD) applications" where the use of the email claim from access tokens for authorization can result in a privilege escalation.
It stated that "a hacker could fabricate the email claim in tokens issued to applications.". Furthermore, applications that use such claims for email lookup run the risk of leaking data. ".
Additionally, it claimed to have discovered and informed the owners of a number of multi-tenant applications whose users make use of email addresses with unverified domain owners.
Offline