Microsoft has fixed a flaw in Azure Active Directory (Azure AD) authentication that could have allowed threat actors to take over the target account completely and raise privileges.
Account and privilege escalation attacks against Azure AD OAuth applications that are configured to use the email claim from access tokens for authorization could be used to exploit this misconfiguration, which was identified by the security team at Descope and given the name nOAuth.
An attacker only needed to use the “Log in with Microsoft” feature on the vulnerable app or website and change the email address on their Azure AD admin account to the victim’s email address.
If the targeted resources permitted the use of email addresses as unique identifiers during the authorization process, this enables them to take complete control of the target’s account.
Because Azure AD did not require email changes to be validated, this strategy was a viable attack method even if the victim does not even have a Microsoft account.
Following an initial report sent by Descope on April 11, 2023, Microsoft implemented mitigations today to fix the nOAuth configuration.
Redmond stated, “Microsoft has identified several multi-tenant applications with users using an unverified domain owner’s email address.”
“Your application has not consumed email claims with unverified domain owners if you did not receive a notification.
“Microsoft has implemented mitigations to omit token claims from unverified domain owners for the majority of applications” in order to “protect customers and applications that may be vulnerable to privilege escalation.”
In order to protect against unauthorized access, the company also strongly advised developers to evaluate the authorization business logic of their apps thoroughly and adhere to these guidelines.
When using the Microsoft identity platform, developers are also encouraged to follow these recommended best practices for token validation.