There is a vulnerability in specific Microsoft OAuth 2.0 applications that could let an attacker gain access and control of a victim’s Azure account.
The flaw was found by Cyberark researchers who noticed that many white-listed OAuth applications, at least 54, automatically trust domains and sub-domains that are not registered by Microsoft so anyone can do so. These apps are essentially given “approved” status by default and can ask for an access_token.
“The combination of these two factors makes it possible to produce an action with the user’s permissions – including gaining access to Azure resources, AD resources and more,” a Cyberark report stated
To initiate a takeover an attacker would have to convince the target to click on a link or visit a compromised website. From here there are two paths an attacker can take to gain control.
The link clicking method sees the creation of a crafted link for Microsoft OAuth Web flow with the vulnerable Microsoft applications; then sets the application_id to match the vulnerable OAuth application; followed by setting the redirect_uri param to the controlled white-listed domains. The attacker than changes the resource to the one he wants to get access to on behalf of the user.
When the victim clicks on the crafted link and microsoftonline.com redirects him to the attacker’s domain with the access token and the Javascript running in the domain sends API requests with the stolen access token.
To steps involved when using a malicious website is basically the same, but with a few added steps. After setting the redirect_uri parameter to the controlled, white-listed domains the threat actor sets the resource parameter to the desired resource that he wants to get access to on behalf of the user.
The attacker than places an iframe in a website with the src attribute set to the crafted link so when the victim browses through the ifram redirects the person to the attacker’s fake website with the newly created access token. Then, as with the link method, the Javascript running in the domain sends API requests with the stolen access token.
“While OAuth 2.0 is an excellent solution for authorization, if misused or misconfigured, it could have a tremendous impact, allowing for over-privileged third-party applications or the eventual account takeover by malicious attackers,” Cyberark said.
The company has a free and automatic scanning tool for anyone to discover similar vulnerable applications in their Azure environment at https://black.direct/
Cyberark also has several recommendations to mitigate the vulnerability.
- Make sure that all the trusted redirect URIs configured in the application are under your ownership.
- Remove unnecessary redirect URIs.
- Make sure the permissions that the OAuth application asks for are the least privileged one it needs.
- Disable non-used applications.