The security defect, nicknamed nOAuth, is described as an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.
According to an advisory documenting the issue, Descope noted that a malicious actor can modify email attributes in Microsoft Azure AD accounts and exploit the one-click “Log in with Microsoft” feature with the email address of any victim they want to impersonate.
“In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications. However, in Microsoft Azure AD, the “email” claim returned is mutable and unverified so it cannot be trusted,” Descope explained.
The company said the combined effect allows an attacker that created their Azure AD tenant to use “Log in with Microsoft” with a vulnerable app and a specially crafted “victim” user, resulting in a complete account takeover. Descope released a demo videoshowing the simplicity of potential exploitation.
Descope, a startup in the customer identity space, reported the issue to Microsoft earlier this year and worked with Redmond on new mitigations to protect businesses from privilege escalation attacks.
Microsoft described the issue as “an insecure anti-pattern used in Azure AD (AAD) applications” where use of the email claim from access tokens for authorization can lead to an escalation of privilege.
ADVERTISEMENT. SCROLL TO CONTINUE READING.
“An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup,” Microsoft acknowledged.
“Microsoft recommends never using the email claim for authorization purposes. If your application uses the email claim for authorization or primary user identification purposes, it is subject to account and privilege escalation attacks,” the software giant said.
Microsoft is also urging developers to review the authorization business logic of their applications and follow documented guidance to protect applications from unauthorized access.