Threat actors could exploit a vulnerability in Microsoft Azure Active Directory's Open Authorization process dubbed "nOAuth" to facilitate complete account takeovers, reports The Hacker News.
Such an authentication implementation bug, which was identified and reported by Descope, stems from a misconfiguration enabling email attribute modifications in Azure AD's "Contact information," as well as the abuse of the "Log in with Microsoft" functionality for account hijacking, said Descope Chief Security Officer Omer Cohen.
"If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Cohen added.
Meanwhile, Microsoft has regarded the vulnerability as an "insecure anti-pattern."
"An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup," said Microsoft, which has already alerted multi-tenant apps which have users whose email addresses do not have verified domain owners.
Cloud Security, Identity
Total account takeover possible with Microsoft Azure AD flaw
Share
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Related Terms
Basic AuthenticationBiometricsCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Cloud ComputingDigest AuthenticationDigital CertificateDiscretionary Access Control (DAC)GreynetGet daily email updates
SC Media's daily must-read of the most current and pressing daily news