A potential authentication bypass vulnerability in the “Log in with Microsoft” feature of Microsoft Azure Active Directory has been identified by researchers at Descope. The flaw, known as nOAuth, affects multitenant OAuth applications in Azure AD, allowing bad actors to perform online account takeovers and gain full control of a victim’s accounts. This could result in data exfiltration, persistence, and even lateral movement within the victim’s environment.
OAuth is a widely used token-based authorization framework that enables users to log into applications automatically based on previous authentication to other trusted apps. In the Azure AD environment, OAuth is used to manage user access to external resources, including Microsoft 365, the Azure portal, and various other SaaS applications.
The vulnerability lies in the way email addresses are used as unique identifiers in OAuth and OpenID Connect implementations. In Microsoft Azure AD, the “email” claim returned is mutable and unverified, making it untrustworthy. This means that attackers with knowledge of the platform can set up an Azure AD account and change the email attribute to impersonate any victim. By doing so, they can bypass authentication and take over the victim’s accounts on any app that uses the “email” claim as a unique identifier, effectively granting them full control.
The attack flow is relatively straightforward. Attackers gain administrator access to their Azure AD account and change the “email” attribute to the victim’s email address. Since Azure AD does not require validation of email changes, the system merges the attacker and victim accounts, ultimately granting the attackers access to the victim’s environment.
Descope researchers conducted a proof-of-concept (PoC) exploit to assess the scope of the vulnerability. They discovered that multiple websites and applications were vulnerable, including a design app with millions of users, a publicly traded customer experience company, a leading multicloud consulting provider, and several SMBs and early-stage startups. This suggests that the potential impact of the vulnerability is significant and may affect countless users.
Following Descope’s report, Microsoft has revamped its Azure AD OAuth implementation guidance to address the issue. The company now advises developers to use new claims and includes dedicated sections on claim verification to mitigate the risk. It emphasizes the importance of avoiding the use of email addresses as unique identifiers for authentication and recommends using the “sub” (Subject) claim instead.
OAuth implementation flaws have been increasingly highlighted in recent months. In March, flaws in the authorization system of the Booking.com website allowed attackers to take over user accounts and gain access to personal and payment-card data. In May, a bug in the OAuth implementation of Expo, an open-source framework for developing native mobile apps, threatened the accounts of users who used social media accounts to log in to services that utilize the framework.
Omer Cohen, CISO at Descope, emphasizes that OAuth and similar standards are reliable and robust authentication approaches. However, he highlights the need for businesses to work with cybersecurity and authentication experts when implementing them. Proper implementation and regular testing are vital to ensure the security of the application. Cohen advises organizations to consider using authentication platforms built by security experts if they do not have the necessary expertise in-house.
With the increasing adoption of cloud technologies and SaaS applications, user authentication has become the new firewall. If authentication is not well-designed, it creates a significant vulnerability that cybercriminals can exploit. Cohen warns that attackers actively target these weaknesses and businesses must prioritize securing user authentication to prevent widespread harm.