A vulnerability of OAuth 2.0 was recently identified by Microsoft which could allow an attacker to take over Azure accounts.
This issue affects unique Microsoft OAuth 2.0 applications, and allows an intruder to generate tokens with the consent of the victim.
The root explanation for the security flaw called BlackDirect by CyberArk is that everyone can register domains and sub-domains that OAuth apps trust.
In addition, because the applications are supported by default and can request “pass token,” an attacker may access Azure resources, AD resources, and more.
The OAuth protocol allows end users to allow applications access without exposing secrets or passwords to data from other apps or websites. OAuth2 also allows third-party applications to provide limited access to an HTTP service, if the customer requests this— whether it is a website or a mobile application.
Using “redirect uri” to transfer the token to the request administrator to enforce the OAuth 2.0 Authorization Request. A list of trusted URLs used by this application to identify URLs and hosts that can receive the tokens generated for the application is “redirect uri” equivalent.
A redirect uri error can include a whitelisting of a non-existent domain, which gives an attacker the ability to steal access tokens by transferring the token to overtaken domains or subdomains.
Some of the Azure apps released by Microsoft itself (portfolios, Office 365 Secure Score, and Microsoft Service Trust) have been found vulnerable to the attack: an attacker who seizes domains and URLs Microsoft trusts could have access to tokens with the rights of the victims.
“Each hacker needs to get their victims to click on a link or visit a compromised website, which can easily be done through simple techniques of social engineering,” the security researchers claim.
Since these Azure applications are approved automatically within a Microsoft account, user consent is not necessary for attackers to use them to create tokens. Therefore, these apps can not be withdrawn from the approved applications list for Microsoft Accounts (some of them do not even appear there).
An attacker can exploit the vulnerability by accessing tokens and making requests on API endpoints, for example by resetting passwords for other users in AD, adding directory members and adding users to groups.
“This vulnerability makes it much easier to compromising privilege users, either by simply using social engineering or by infecting a website that privileged users sometimes access. However, the result would most likely entail the full compromise of the entire domain and the Azure environment of the organization, “says CyberArk.
For this vulnerability, security researchers detail both null click and one click attack vectors. Sensitive data may be stolen or lost, and servers may be compromised even if the victim only visits the website.
Microsoft was told about the problem at the end of October and a patch was published a few weeks ago.