A vulnerability in Microsoft Azure Active Directory (AD) environments could put thousands of organizations at risk of an authentication bypass, enabling attackers to take over online and cloud accounts. Researchers at Descope have named this attack 'nOAuth' and identified it as an authentication implementation flaw affecting multitenant OAuth applications in Azure AD, Microsoft's cloud-based identity and access management service. Successful exploitation of this vulnerability could allow attackers to gain full control over a victim's accounts, establish persistence, exfiltrate data, and explore lateral movement possibilities.
Omer Cohen, CISO at Descope, stated, "OAuth and OpenID Connect are open, popular standards which millions of Web properties already use." He added that if 'Log in with Microsoft' is improperly implemented, numerous apps could be susceptible to account takeover, particularly impacting small businesses with fewer developer resources. OAuth is an open, token-based authorization framework that enables users to automatically log into applications based on previous authentication to another trusted app. In Azure AD, OAuth is used to manage user access to external resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications that utilize OAuth apps.
Descope's analysis revealed that the vulnerability allows threat actors to perform cross-platform spoofing by using a victim's email address to impersonate them. The researchers explained that in usual OAuth and OpenID Connect implementations, the user's email address is used as a unique identifier by applications. However, in Microsoft Azure AD, the 'email' claim returned is mutable and unverified, meaning it cannot be trusted. Attackers with malicious intent and sufficient platform knowledge can set up an Azure AD account and arbitrarily change the email attribute under 'Contact Information' to control the email authentication claim. This would enable them to bypass authentication and take over a victim's account on any app that uses the 'email' claim as the unique identifier for Microsoft OAuth without validating the email address.
The Descope researchers developed a nOAuth proof-of-concept (PoC) exploit and tested it on hundreds of websites and applications to gauge the extent of the issue. They discovered that many of them were vulnerable, including a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, and several SMBs and early-stage startups. The researchers believe that these findings represent only a small fraction of the potentially affected users on the internet.
Microsoft has previously advised users not to use an email address as a unique identifier for authentication. After being informed of the issue by Descope, Microsoft updated its Azure AD OAuth implementation guidance to include two new claims and dedicated sections on claim verification. Omer Cohen emphasized the importance of checking whether the email claim returned by Azure AD is used as the unique identifier and, if so, taking remediation steps to ensure that the claim used as the unique identifier is the 'sub' (Subject) claim to prevent potential exploitation.
Incorrect implementations of OAuth have recently been discovered in large businesses, highlighting the need for organizations to secure this potential attack vector. In March, flaws in the authorization system of the Booking.com website were revealed that could have allowed attackers to take over user accounts and access personal or payment-card data. In May, a bug tracked as CVE-2023-28131 was found in the OAuth implementation of Expo, an open-source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase. The flaw threatened the accounts of users who logged in to online services using various social media accounts through the framework.
Cohen underlined that OAuth and similar standards are reliable and robust authentication approaches but stressed the importance of working with cybersecurity and authentication experts when implementing them. He also highlighted the need for regular penetration testing and review of the implementation or using an authentication platform built by security experts. The significance of securing authentication cannot be overstated, as cybercriminals are actively searching for such weaknesses to exploit and cause widespread harm. Cohen concluded, "With the increase of organizations adopting cloud technologies and SaaS applications, identity is the new firewall. If user authentication is not well-designed, it doesn’t matter how secure the application is itself as you will leave the front door open to cyberattacks."