Discover the alarming security flaw in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process that poses a severe risk of complete account takeovers. OAuth and OpenID Connect (OIDC) frameworks serve as the backbone for secure authorization, allowing users to authorize access to their resources across applications while protecting their identity information. However, a misconfiguration known as nOAuth can exploit this process, leading to compromised user security. In this article, we will dive deep into the nOAuth attack flow, explore its implications, and propose effective steps to remediate and mitigate these vulnerabilities.
Understanding OAuth and OpenID Connect
OAuth, an open, token-based authorization framework, enables secure authorization between applications without disclosing users' identity credentials. Built on OAuth 2.0, OpenID Connect (OIDC) allows applications to verify user identities and obtain basic profile information through JSON Web Tokens (JWT).
Identity Providers (IdP)
Identity Providers (IdP) act as external sources for user identities. Common IdPs include Okta, Google, Twitter, and Azure AD, which plays a critical role in Microsoft OAuth.
Azure Active Directory (Azure AD)
Azure AD, a cloud-based identity and access management service, manages user access to various resources like Microsoft 365 and Azure portal using OAuth apps. It also handles internal resources and offers authentication through OAuth, OIDC, and other standard protocols.
The Threat of nOAuth
Credit to the security team at Descope who have discovered a gray area in Microsoft Azure AD OAuth applications that could lead to full account takeover. nOAuth refers to a misconfiguration within Microsoft OAuth that allows attackers to perform full account takeovers. When a user logs in to an application using authentication methods like "Log in with Microsoft," the application may merge user accounts based on the email address provided by the Identity Provider. However, in the case of nOAuth, the lack of email validation allows attackers to gain complete control by merging accounts, even if the email address is unverified or untrusted.
nOAuth Attack Flow
Let's outline the steps an attacker would take in an nOAuth attack:
1. Preparation: a. The attacker gains admin access to their Azure AD account. b. Exploiting the absence of email validation in Azure AD, the attacker changes the "Email" attribute to the victim's email address.
2. Attack: a. Leveraging a vulnerable website or app that supports "Log in with Microsoft," the attacker uses the victim's email address. b. If the application merges user accounts without proper validation, the attacker gains full control over the victim's account, regardless of whether the victim has a Microsoft account. c. With the compromised account, the attacker can engage in various malicious activities, including establishing persistence, exfiltrating data, and exploring lateral movement possibilities.
Microsoft has acknowledged the nOAuth configuration issue and provided guidance to customers. They have updated their documentation and implemented additional fixes to mitigate cross-tenant spoofing. Microsoft now recommends the use of two new claims, namely "xms_edov" (Email Domain Owner Verified) and "RemoveUnverifiedEmailClaim," to prevent nOAuth attacks. These claims offer developers options to verify domain ownership and redact unverified email claims, enhancing security.
To effectively prevent nOAuth attacks, developers should adhere to Microsoft's claims validation guidelines. Avoid using claims such as "upc," "email," and "preferred_username" for authentication or authorization decisions. Instead, rely on the "sub" (Subject) claim as the unique identifier for users. When merging user accounts, it is essential to validate the email address provided by Microsoft using secure means. Additionally, developers can leverage the new claims introduced by Microsoft, "xms_edov" and "RemoveUnverifiedEmailClaim," to enhance security and flexibility.
In conclusion, the nOAuth vulnerability poses a significant threat to user accounts when Microsoft OAuth is misconfigured. However, by understanding the attack flow and implementing the recommended remediation steps, developers and organizations can effectively mitigate this risk and ensure the security of their applications.
Staying informed and proactive is crucial in the ever-evolving landscape of cybersecurity. Regularly testing for vulnerabilities and promptly addressing any identified issues will help maintain a strong defense against nOAuth attacks. At Armoryze, we specialize in zero-trust security and managed services, providing expert support to fortify your application's security. Schedule a FREE consultation today and take the first step in safeguarding your valuable assets and user data.
Don't wait until it's too late. Take action now to protect your users and maintain their trust in your application. Armoryze is ready to guide you through the complexities of cybersecurity and help you build a robust defense against nOAuth attacks.