| Product and Affected Versions: Microsoft Azure Active Directory (AD) multi-tenant OAuth applications |
| Severity and CVE ID: The CVE ID for the vulnerability has not been mentioned in the provided information. |
| Vulnerability: A security flaw named “nOAuth” has been discovered in the Microsoft Azure Active Directory (AD) OAuth process, which could be exploited to achieve full account takeover. The flaw is an authentication implementation flaw that affects multi-tenant OAuth applications in Microsoft Azure AD. The vulnerability arises from a misconfiguration that allows a malicious actor to modify email attributes under the “Contact Information” section of an Azure AD account. By exploiting the “Log in with Microsoft” feature, the attacker can hijack a victim’s account. The attack involves creating and accessing an Azure AD admin account, changing the email address to that of the victim, and taking advantage of the single sign-on scheme on a vulnerable app or website. Once the attack is successful, the adversary gains full control over the victim’s account, even if the victim does not have a Microsoft account. This gives the attacker the ability to set up persistence, exfiltrate data, and carry out post-exploitation activities based on the targeted app’s capabilities. |
| How the Attack Works: 1. The attacker creates and accesses an Azure AD admin account. 2. The attacker modifies their email address to match that of the victim. 3. The attacker exploits the vulnerable app or website that uses the “Log in with Microsoft” feature. 4. If the app merges user accounts without proper validation, the attacker gains full control over the victim’s account. |
| Remediations: Microsoft has warned against using email claims for authorization purposes due to this vulnerability. The tech giant has characterized the issue as an “insecure anti-pattern” in Azure AD applications. It is recommended to avoid relying on email claims from access tokens for authorization and to implement alternative secure authentication methods. Microsoft has identified and notified several multi-tenant applications with users that utilize email addresses from unverified domains. Application developers and administrators should review their authentication implementations and consider implementing stronger validation and verification mechanisms. |
| References: – Discovery and report by Descope on the nOAuth vulnerability in Microsoft Azure AD – Microsoft’s warning and characterization of the issue in Azure AD applications |
