Critical Azure AD Flaw Enables Cross-Platform Spoofing, Descope Analysis Reveals
Security researchers conducting a Descope analysis have unveiled a critical vulnerability in Azure Active Directory (Azure AD), Microsoft’s cloud-based identity and access management service.
This flaw, discovered during their investigation, exposes users to a high-risk scenario of cross-platform spoofing. The implications of this vulnerability have raised significant concerns regarding the security of Azure AD and the potential for widespread exploitation.
Organizations that have integrated the “Log in with Microsoft” feature into their Microsoft Azure Active Directory setups may face a critical security issue related to authentication bypass, potentially leading to unauthorized access and account takeovers of online and cloud-based accounts.
Researchers from Descope, a renowned cybersecurity firm, have identified and named this attack “nOAuth.”
They have categorized it as an authentication implementation flaw affecting multitenant OAuth apps in Azure AD, Microsoft’s cloud-based identity and access management service.
Exploiting this vulnerability would allow threat actors to gain control over the targeted user’s accounts, allowing them to establish persistence, extract sensitive data, assess the feasibility of lateral movement, and perform other malicious activities.
How it’s a Threat?
Cross-platform spoofing allows malicious actors to impersonate legitimate users across multiple platforms, enabling them to gain unauthorized access to sensitive information and resources.
By exploiting the flaw in Azure AD’s authentication process, threat actors can bypass Microsoft’s security protocols and assume the identities of legitimate users on various platforms and services.
The Descope analysis underlines the severity of this vulnerability, as it enables attackers to compromise organizational networks, manipulate data, and launch further attacks, potentially leading to substantial financial and reputational damages for affected entities.
Upon being informed about the findings, Microsoft immediately began working on a patch to address this critical flaw. However, until a comprehensive solution is available, Azure AD users are urged to exercise extreme caution and implement additional security measures.
How to Understand no Auth Cyberattack?
The attack method employed in this scenario is alarmingly straightforward:
- The attackers begin by gaining access to their Azure AD account and are granted administrator privileges.
- Subsequently, the attackers modify the “email” attribute associated with their account, replacing it with the victim’s email address.
- Significantly, Azure AD does not enforce validation for email changes, allowing the system to merge the two accounts seamlessly. As a result, the attackers acquire unrestricted access to the victim’s environment, potentially compromising sensitive data and resources.
The nOAuth cyberattack threat is in attention due to its implications for the OAuth framework, an open-source, token-based authorization framework widely used for automatic application login based on prior authentication with trusted apps.
Users are familiar with this through options like “Log in with Facebook” or “Log in with Google” on various e-commerce platforms.
Within the Azure AD environment, OAuth controls user access to external resources, including Microsoft 365, the Azure portal, and many other SaaS applications that support OAuth apps.
According to an analysis conducted by Descope, Azure Active Directory manages access to external resources and handles internal resources such as corporate intranet apps and cloud applications developed by organizations, providing authentication through protocols like OAuth and OIDC (OpenID Connect).
A Peek into Descopes Recent Analysis
Based on Descope’s recently released analysis, it has been revealed that an urgent issue exists in OAuth and OpenID Connect implementations within Microsoft Azure AD.
In most implementations of OAuth and OpenID Connect, the user’s email address serves as a unique identifier for applications. However, in Microsoft Azure AD, the researchers at Descope have highlighted a significant flaw. They explain that the “email” claim returned by Azure AD is mutable and unverified, rendering it unreliable and untrustworthy.
This flaw allows individuals with malicious intentions and a reasonable understanding of the platform to create an Azure AD account and manipulate the email attribute under the “Contact Information” section. By doing so, they can control the email authentication claim associated with that account.
As a result, attackers can exploit this vulnerability to impersonate victims by utilizing the “Login with Microsoft” feature. They can then take over the victims’ accounts on any application that utilizes the “email” claim as the unique identifier for Microsoft OAuth.
These applications’ lack of email address validation authorizes attackers to bypass the authentication process altogether.
The consequences of this vulnerability are far-reaching, as attackers can gain unauthorized access to user accounts, potentially leading to data breaches, unauthorized activities, and compromised privacy.
How is Authentication Weakening?
To gain a comprehensive understanding of the magnitude of the problem, Descope researchers conducted a proof-of-concept (PoC) exploit called nOAuth.
They performed a white-hat attack on numerous websites and applications to assess their vulnerability to this exploit. Their findings were alarming, as they discovered that many websites and applications were susceptible to the nOAuth attack.
Among the affected entities were a popular design app with millions of monthly users, a publicly traded customer experience company, a leading multi-cloud consulting provider, several small and medium-sized businesses (SMBs), and early-stage startups.
The researchers also notified two authentication platform providers about the issue. These providers unknowingly merged user accounts when the “Login with Microsoft” feature was used on existing user accounts. It posed a significant risk to customers using “Login with Microsoft” on these platforms.
The researchers emphasize that their findings represent only a fraction of the vulnerabilities on the internet. Thousands of other users could likely be affected by similar weaknesses.
While Microsoft has previously advised users against using an email address as a unique identifier for authentication, the company took the Descope researchers’ findings seriously.
In response, Microsoft has updated its Azure AD OAuth implementation guidance to address the breadth of the issue. The updated guidance now includes two new claims to utilize and dedicated sections on claim verification.
Omer Cohen, Chief Information Security Officer at Descope, highlights the critical nature of the situation for apps using “Login with Microsoft” and handling authentication in-house.
He advises these app developers to thoroughly examine whether they use the email claim returned by Azure AD as the unique identifier. If so, immediate remediation steps should be taken to ensure that the “sub” (Subject) claim is used as the unique identifier for the user, thereby mitigating the potential for exploitation.
The collaborative efforts between Descope researchers and Microsoft have shed light on the severity of the authentication weakness and prompted essential updates to protect users’ accounts and information.
App developers and organizations must heed this guidance and take the necessary steps to enhance their security measures, preventing unauthorized access and potential exploitation of vulnerabilities.
Rampant Incorrect Implementations of OAuth Raise Concerns for Businesses
Several high-profile incidents have recently exposed incorrect implementations of OAuth, highlighting the urgent need for organizations to address this vulnerable attack vector to safeguard their systems and users.
One such case emerged in March when vulnerabilities were discovered in the authorization system of the main Booking.com website. These flaws could have allowed attackers to hijack user accounts, gaining unrestricted access to personal and payment card information.
Furthermore, attackers could have exploited the same vulnerabilities to log into accounts on the website’s sister platform, Kayak.com.
In May, a bug identified as CVE-2023-28131 was identified in the OAuth implementation of Expo, an open-source framework used for developing native mobile apps. This flaw threatened users using various social media accounts to log into an online service utilizing the Expo framework. The vulnerability could compromise the security of these users’ accounts.
Omer Cohen, Chief Information Security Officer at Descope, emphasizes that organizations prioritize correctly implementing authentication standards like OAuth.
While these standards are robust and trustworthy, Cohen emphasizes the need for organizations to collaborate with cybersecurity and authentication experts during implementation.
“These standards are highly complex to work with,” Cohen states. “Authentication isn’t something you can just add and check a box. Implementing these standards correctly is critical to the security of the application.”
He further notes that businesses should conduct regular penetration testing and implementation reviews if they handle the implementation in-house. Alternatively, they can opt for an authentication platform developed by security experts, mitigating the risk of vulnerabilities and ensuring more robust security measures.
Cohen underscores the significance of this matter, as cybercriminals actively search for these types of weaknesses to exploit. He warns that these vulnerabilities are frequently targeted and exploited, causing widespread harm.
As organizations increasingly embrace cloud technologies and adopt Software-as-a-Service (SaaS) applications, robust user authentication becomes paramount. Identity now serves as the new firewall in the digital landscape.
Regardless of an application’s security, if user authentication is poorly designed and vulnerable, it leaves the front door open for cyberattacks.
What is your Way Through?
Organizations utilizing Azure AD are advised to conduct thorough security audits to identify system vulnerabilities. It is crucial to review security configurations, ensure the implementation of robust access controls, and consider the adoption of multi-factor authentication to bolster the protection of Azure AD accounts.
The Descope analysis serves as a reminder of the importance of ongoing collaboration between security researchers, technology companies, and affected users. Responsible disclosure of vulnerabilities and prompt action to address them play a pivotal role in safeguarding digital ecosystems.
The implications of this flaw extend beyond individual organizations, as businesses, government agencies, and educational institutions widely adopt Azure AD. Given its extensive use, the potential for cross-platform spoofing poses a significant threat to data privacy and system integrity.
To conclude, the Descope analysis has shed light on a critical vulnerability in Azure AD, exposing users to the risk of cross-platform spoofing. This flaw compromises the security of individual accounts and raises concerns about the integrity of data and resources across various platforms.
Azure AD users must remain vigilant, implement recommended security measures, and closely monitor updates from Microsoft to ensure prompt patch installation addressing this vulnerability. The cybersecurity community emphasizes the need for collaboration and swift action to mitigate the risks associated with this flaw and enhance the overall security of cloud-based services.