Security News > 2023 > June > Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover

A security shortcoming in Microsoft Azure Active Directory Open Authorization process could have been exploited to achieve full account takeover, researchers said.

"nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said.

The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account.

To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website.

This stems from the fact that an email address is both mutable and unverified in Azure AD, prompting Microsoft to issue a warning not to use email claims for authorization purposes.

The tech giant characterized the issue as an "Insecure anti-pattern used in Azure AD applications" where the use of the email claim from access tokens for authorization can lead to an escalation of privilege.

News URL

https://thehackernews.com/2023/06/critical-noauth-flaw-in-microsoft-azure.html