Account Takeover Proof of Concept for 0Auth Security Flaw in Microsoft Azure Active Directory

Descope researchers recently reported a security flaw in the Microsoft Azure Active Directory (AD).

Before publishing, Descope informed Microsoft, several “large vulnerable applications,” and two authentication platform providers of the issue and Microsoft has reportedly taken mitigating steps.

Context

On June 20, 2023, researchers at Descope reported the technical details of a security flaw in the Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process they dubbed “n0Auth.” According to Descope, the flaw could allow full account takeover.

Technical Details

According to Descope:

  • “nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.
  • According to the OAuth specification, the user is uniquely identified by the “sub” (subject) claim. Most IdPs provide the common (yet non-standard) “email” claim. Using the email claim as the user identifier becomes an issue when this claim is mutable, which is why most IdPs advise against using email as an identifier. In Microsoft Azure AD, the email claim is both mutable and unverified so it should never be trusted or used as an identifier.
  • A bad actor can change the Email attribute under “Contact Information” in the Azure AD account to control the “email” claim in the returned identity JWT.
  • The combined effect of the points above allows an attacker that created their Azure AD tenant to use “Log in with Microsoft” with a vulnerable app and a specially crafted “victim” user, resulting in a complete account takeover.”

Mitigation

Descope researchers report that “Microsoft is introducing two new claims to mitigate cases when nOAuth is used for cross-tenant spoofing. These features will enable apps to verify whether an email claim contains a domain-verified email address and redact email claims when the email domain is unverified.”

In addition, Descope provided the following recommendations:

  • “As Microsoft suggests in their claims validation documentation, “upc”, “email”, “preferred_username” and other claims should not be used to make authentication or authorization decisions. The claim that should be used as the unique identifier for the user is the “sub” (Subject) claim.
  • If you’d like to continue merging user accounts, it’s important to validate the email address provided by Microsoft with a magic link or similar secure means to ensure this email is in control of the real account holder. Check out this developer blog to learn how Descope securely merges accounts when “Log in with Microsoft” is used.

You can also use the two new claims introduced by Microsoft to explicitly indicate whether an email claim is from a domain-verified email and redact the email claim if needed, allowing full flexibility for developers with relevant use cases.”

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.