They will automatically get logged into the account associated with the provided email address. Now, all the attacker has to do is open the site or service they wish to take over and choose the “Login with Microsoft” option. The main flaw here is that this requires no validation whatsoever. When they are all set, they can change the Email attribute to one that belongs to the target. They can do this using an email address which is under their control. The attacker that wishes to abuse this flaw needs to set up an Azure AD account as admin. The difference is that most IdPs advise against using an email-address as an identifier, but Microsoft Azure AD accepts it. In our example, because you are logged into Facebook, the other site or service accepts your identity and allows you access.Īzure AD manages user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other software as a service (SaaS) applications using OAuth apps. For the “Open” concept in OAuth to work, the authentication is based on pre-established trust with the IdP. Other well-known IdPs are Google, Twitter, Okta, and Microsoft Azure AD. In the example we used above, Facebook is called the identity provider (IdP). We wouldn't recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site's password is compromised. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. For example, some sites allow you to log in using your Facebook credentials. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials.Ĭhances are you have dealt with OAuth many times without being aware what it is and how it works. Generally, the OAuth protocol provides a way for resource owners to provide a client, or application with secure delegated access to server resources. It allows us to get access to protected data from an application. OAuth (short for Open Authorization) is a standard authorization protocol. To understand how this flaw-dubbed nOAuth by the researchers-works we need to take a few steps back and explain how OAuth works.
So, how can this be used in an account take-over? And in Microsoft Azure AD OAuth applications that email address can be used as a unique identifier. In a nutshell, Microsoft Azure AD allows you to change the email address associated with an account without verification of whether you are in control of that email address. Researchers have found that a flaw in Microsoft Azure AD can be used by attackers to take over accounts that rely on pre-established trust.
0 kommentar(er)
