Thousands Affected by Microsoft Azure AD ‘Log in With Microsoft’ Authentication Bypass

Organizations at Risk: Vulnerability in “Log in with Microsoft” Feature Exposes Accounts to Attacks

The nOAuth Attack: Authentication Bypass in Microsoft Azure AD

A recent discovery by researchers at Descope highlights a critical vulnerability in the “Log in with Microsoft” feature implemented in Microsoft Azure Active Directory (AD) environments. Dubbed “nOAuth,” this flaw allows malicious actors to bypass authentication and gain unauthorized access to online and cloud accounts. The implications of this attack are far-reaching, as it enables complete control over victims’ accounts, including the ability to exfiltrate data, establish persistence, and explore lateral movement.

The Problem with OAuth and OpenID Connect

To understand the vulnerability, we must first evaluate the authentication protocols involved. OAuth and OpenID Connect are widely used, open standards that enable users to log into various applications using their credentials from a trusted app. This is commonly seen with the “Log in with Facebook” or “Log in with Google” options on e-commerce websites. In the case of Azure AD, OAuth is employed to manage user access to external resources, including Microsoft 365, the Azure portal, and numerous other OAuth apps.

However, Descope’s analysis reveals a flaw in Microsoft Azure AD‘s implementation of OAuth. Normally, the user’s email address serves as the unique identifier for applications. Yet, Azure AD‘s “email” claim is mutable and unverified, rendering it untrustworthy. This allows attackers with platform knowledge to exploit the flaw by impersonating victims using their email addresses and bypassing authentication.

The Attack Flow: Simplicity Breeds Danger

The attack leveraging nOAuth is shockingly simple. By accessing their Azure AD account as an administrator, attackers can change the “email” attribute to match the victim’s email address without any validation. Azure AD then merges the attacker’s and victim’s accounts, granting the attacker full access to the victim’s environment.

The Extent of the Vulnerability

Descope researchers conducted a proof-of-concept exploit, testing hundreds of websites and applications to identify vulnerabilities. They discovered multiple organizations, including a design app with millions of monthly users, a publicly traded customer experience company, a leading multicloud consulting provider, and several small and medium-sized businesses (SMBs) and early-stage startups, susceptible to the attack. Additionally, Descope informed two authentication platform providers that were merging user accounts when “Log in with Microsoft” was used, potentially putting all their customers at risk.

While these findings are concerning, they represent only a fraction of the internet. Numerous other users are likely to be affected, making the scope of this vulnerability potentially enormous.

Addressing the Vulnerability and the Larger Issue of OAuth Implementations

Microsoft‘s Response

Upon being informed of the extent of the vulnerability, Microsoft has provided additional guidance for Azure AD OAuth implementation. The company now advises developers to avoid using the “email” claim as the unique identifier for authentication. Instead, they recommend using the “sub” (Subject) claim to mitigate potential exploitation. Microsoft‘s willingness to address the issue promptly is commendable, demonstrating their commitment to user security.

Improper Implementations Plague Organizations

The nOAuth vulnerability underscores a larger problem of incorrect implementations of OAuth. In recent months, major organizations, including Booking.com and Expo, have faced flaws in their authorization systems that could have exposed user accounts to unauthorized access. It is clear that organizations must prioritize the security and validation of their OAuth implementations.

The Importance of Expertise in Authentication Implementation

Implementing authentication standards like OAuth correctly is crucial for safeguarding applications. These standards are complex and require expertise to ensure their effective deployment. Working with cybersecurity and authentication experts during the development process is essential to ensure the integrity and security of authentication systems.

The Role of Regular Penetration Testing

Organizations that choose to implement these standards in-house must conduct regular penetration testing and constant review of their implementation. This practice helps identify vulnerabilities and weaknesses, enabling timely remediation and reducing the likelihood of exploitation by cybercriminals.

The Need for Security Experts and Authentication Platforms

Given the prevalence of cloud technologies and Software-as-a-Service (SaaS) applications, user authentication has become the new firewall against cyberattacks. Businesses cannot afford to overlook the importance of strong authentication practices. Engaging with security experts or using authentication platforms built by security professionals can significantly enhance the security of authentication systems.

Conclusion: Addressing Vulnerabilities to Protect User Accounts

The nOAuth vulnerability serves as a reminder that even popular and widely adopted standards like OAuth can be compromised if not implemented correctly. Organizations must prioritize the security of their authentication systems to prevent unauthorized access to user accounts. Microsoft‘s overhaul of the Azure AD OAuth implementation guidance demonstrates the company’s commitment to user safety. However, it is the responsibility of organizations to ensure their implementations adhere to industry best practices and undergo regular security testing. By doing so, businesses can minimize the risk of exploitation and protect their users from cyberattacks.