Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover
22.6.23 Vulnerebility The Hacker News
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been exploited to achieve full account takeover, researchers said.
California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth.
"nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said.
The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account.
To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website.
"If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Cohen explained.
Successful exploitation grants the adversary an "open field" to set up persistence, exfiltrate data, and carry out other post-exploitation activities based on the nature of the app.
This stems from the fact that an email address is both mutable and unverified in Azure AD, prompting Microsoft to issue a warning not to use email claims for authorization purposes.
The tech giant characterized the issue as an "insecure anti-pattern used in Azure AD (AAD) applications" where the use of the email claim from access tokens for authorization can lead to an escalation of privilege.
"An attacker can falsify the email claim in tokens issued to applications," it noted. "Additionally, the threat of data leakage exists if applications use such claims for email lookup."
It also said it identified and notified several multi-tenant applications with users that utilize an email address with an unverified domain owner.