Before publishing, Descope informed Microsoft, several “large vulnerable applications,” and two authentication platform providers of the issue and Microsoft has reportedly taken mitigating steps.
Context
On June 20, 2023, researchers at Descope reported the technical details of a security flaw in the Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process they dubbed “n0Auth.” According to Descope, the flaw could allow full account takeover.
Technical Details
According to Descope:
- “nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.
- According to the OAuth specification, the user is uniquely identified by the “sub” (subject) claim. Most IdPs provide the common (yet non-standard) “email” claim. Using the email claim as the user identifier becomes an issue when this claim is mutable, which is why most IdPs advise against using email as an identifier. In Microsoft Azure AD, the email claim is both mutable and unverified so it should never be trusted or used as an identifier.
- A bad actor can change the Email attribute under “Contact Information” in the Azure AD account to control the “email” claim in the returned identity JWT.
- The combined effect of the points above allows an attacker that created their Azure AD tenant to use “Log in with Microsoft” with a vulnerable app and a specially crafted “victim” user, resulting in a complete account takeover.”
Mitigation
Descope researchers report that “Microsoft is introducing two new claims to mitigate cases when nOAuth is used for cross-tenant spoofing. These features will enable apps to verify whether an email claim contains a domain-verified email address and redact email claims when the email domain is unverified.”
In addition, Descope provided the following recommendations:
- “As Microsoft suggests in their claims validation documentation, “upc”, “email”, “preferred_username” and other claims should not be used to make authentication or authorization decisions. The claim that should be used as the unique identifier for the user is the “sub” (Subject) claim.
- If you’d like to continue merging user accounts, it’s important to validate the email address provided by Microsoft with a magic link or similar secure means to ensure this email is in control of the real account holder. Check out this developer blog to learn how Descope securely merges accounts when “Log in with Microsoft” is used.
You can also use the two new claims introduced by Microsoft to explicitly indicate whether an email claim is from a domain-verified email and redact the email claim if needed, allowing full flexibility for developers with relevant use cases.”