Thursday, 22 June 2023 09:26

Flaw in MS Azure AD OAuth Could Allow for Complete Account Take Over

Written by

Reading time is around minutes.

Microsoft’s Azure AD, the cloud-based flavor of the on-premises service is an interesting construct. On the surface you think that it has some decent protections enabled by default. The sad truth of the matter is that this is not the case and many options for security are very lacking until you hit much higher security levels. If you add to this equation the likelihood of vulnerabilities and other flaws that can allow an attacker to bypass the security options that are already there it is a bit of a mess. This wonderful thought is what brings us to today’s flaw. According to security researchers, there is a flaw in how Microsoft Azure AD processes its implementation of OAuth (Open Authentication).

Dubbed nOAuth, the flaw was disclosed to Microsoft in April 2023 (meaning attackers could have had it for longer) by Descope. The flaw affects Azure AD Multi-Tenant applications. The leverage this flaw the attacker needs to be able to create and then access an Azure AD admin account. From there they modify the email address of the account to that of their target. From there they send the new email to an app they suspect is vulnerable and hope that the app will merge the information of the two accounts allowing access. In simple terms, if I create an azure admin account in a tenant that I own and modify the email address associated with that account to a target in another tenant I can use that to access a multi-tenant application that allows for “sign on with Microsoft” as an option. This option also needs to use the email address as the claim for the token without any verification of the email it is using.

If the attacker is successful in exploiting this flaw, they have elevated privileges in the application. This can lead to additional follow-on operations including data leakage/theft. There are a lot of applications that could be open to this attack, working in fields like Hospitality, Mortgage and Finance as well as other areas, there are often connections between Azure AD and the target system. If email is for authorization, it opens a whole new area of attack. In the mortgage industry alone, I can see this being used to attempt to pivot into origination systems for eventual financial fraud (fake wire instructions). If an attacker used this in combination with an existing business email compromise (BEC) they have a ton of flexibility in how they execute this one.

Microsoft has issued a warning for organizations not to use email claims for authentication/authorization in their multi-tenant apps. They have also reached out to a few organizations that were found to be using email claims and notified them of the vulnerability. Organization should check with any integrated application partners to ensure they are not relying on just an email claim for authorization, and if they are to ensure they (the third party cloud vendor) are taking steps to change that. Stay safe out there.

Read 802 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.