Organizations that have adopted the “Log in with Microsoft” feature to their Microsoft Azure Active Directory setups may be exposed to an authentication bypass, which might lead to account takeovers of online and cloud-based accounts.
Descope researchers have labeled the attack as “nOAuth”. The campaign, according to them is an authentication implementation flaw that affects multitenant OAuth apps in Azure AD, Microsoft's cloud-based identity and access management service. If the attack is successful, the threat actor could then take over their victim’s accounts, enabling them to create persistence, exfiltrate data, determine whether lateral movement is feasible, and other activities.
According to Omer Cohen, CISO at Descope ”OAuth and OpenID Connect are open, popular standards which millions of Web properties already use[…]If 'Log in with Microsoft' is improperly implemented, several of these apps could be vulnerable to account takeover. Small businesses with fewer developer resources could especially be impacted.”
About nOAuth Cyberattack Threat
OAuth is an open source, token-based authorization framework that enables users to log into applications automatically based on prior authentication to another reputable app. Most consumers are already familiar with this thanks to the "Log in with Facebook" or "Log in with Google" choices seen on numerous e-commerce websites.
OAuth is used in the Azure AD environment to control user access to outside resources including Microsoft 365, the Azure portal, and thousands of other SaaS applications that support OAuth apps.
According to Descope analysis "Azure Active Directory also manages internal resources like apps on your corporate intranet and any cloud apps developed by your own organization by providing authentications via OAuth, OIDC, and other standard protocols."
As per an issue of Descope analysis, published this week, the flaw allows malicious actors to do cross-platform spoofing by only needing an unknowing victim's email address to mimic them. The email attribute under "Contact Information" in an Azure AD account can therefore be changed at will to control the email authentication claim by anyone with malicious intent and a reasonable level of platform expertise.
"[This] allows the attacker to use 'Log in with Microsoft' with the email address of any victim they want to impersonate[…]They can take over victims' accounts on any app that uses 'email' claim as the unique identifier for Microsoft OAuth and does not validate that email address, completely bypassing authentication," the researchers noted.
Incorrect Implementation of OAuth
Incorrect implementation of OAuth has apparently turned into a business, urging organizations to shut down this potentially harmful attack vector.
Some recent cases of the attack include vulnerabilities in the authorization system of the Booking.com website. The attack could have allowed attackers to access user accounts and acquire their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com.
Another case came to highlight when a bug, tracked as CVE-2023-28131 was discovered in the OAuth implementation of Expo, an open-source framework for developing native mobile apps for iOS, Android, and other Web platforms which was apparently utilizing a single codebase. This vulnerability was the reason why online users were at risk, those who logged in to an online service that employs the framework using different social media accounts.
Cohen notes that the OAuth standard and other such standards are reliable and strong authentication approaches. However, organizations must ensure to collaborate with cybersecurity and authentication professionals when adopting them.
"These standards are extremely complicated to work with[…]Authentication isn’t something you can just add on and check a box. Implementing these standards correctly is critical to the security of the application," says Cohen. He adds, "If businesses chose to implement these standards in-house, then they must have regular pen testing and review of the implementation, or they can use an authentication platform that is built by security experts".
Moreover, he emphasized its importance, since threat actors are constantly on a lookout for these types of vulnerabilities.