www.securityweek.com
Open in
urlscan Pro
2606:4700:20::6818:a003
Public Scan
URL:
https://www.securityweek.com/researchers-flag-account-takeover-flaw-in-microsoft-azure-ad-oauth-apps/
Submission: On June 21 via api from TR — Scanned from DE
Submission: On June 21 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://www.securityweek.com/
<form method="get" id="zox-search-form" action="https://www.securityweek.com/" data-hs-cf-bound="true">
<input type="text" name="s" id="zox-search-input" value="Search" onfocus="if (!window.__cfRLUnblockHandlers) return false; if (this.value == "Search") { this.value = ""; }"
onblur="if (!window.__cfRLUnblockHandlers) return false; if (this.value == "Search") { this.value = ""; }">
<input type="submit" id="zox-search-submit" value="Search">
</form>Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp
<form class="sw-newsletter-cc" style="" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin" data-hs-cf-bound="true">
<input type="hidden" value="1102592012458" name="m">
<input type="hidden" value="oi" name="p">
<div class="form-item">
<input type="text" class="form-text required" value="" placeholder="Business Email Address..." size="60" name="ea" maxlength="128">
<input type="submit" class="submit" value="Subscribe" name="go">
</div>
</form>Name: ccoptin — POST https://visitor.constantcontact.com/d.jsp
<form class="sw-newsletter-cc" style="" method="post" target="_blank" action="https://visitor.constantcontact.com/d.jsp" name="ccoptin" data-hs-cf-bound="true">
<input type="hidden" value="1102592012458" name="m">
<input type="hidden" value="oi" name="p">
<div class="form-item">
<input type="text" class="form-text required" value="" placeholder="Business Email Address..." size="60" name="ea" maxlength="128">
<input type="submit" class="submit" value="Subscribe" name="go">
</div>
</form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again. Accept Decline SECURITYWEEK NETWORK: * Cybersecurity News * Webcasts * Virtual Events ICS: * ICS Cybersecurity Conference * Malware & Threats * Cyberwarfare * Cybercrime * Data Breaches * Fraud & Identity Theft * Nation-State * Ransomware * Vulnerabilities * Security Operations * Threat Intelligence * Incident Response * Tracking & Law Enforcement * Security Architecture * Application Security * Cloud Security * Endpoint Security * Identity & Access * IoT Security * Mobile & Wireless * Network Security * Risk Management * Cyber Insurance * Data Protection * Privacy & Compliance * Supply Chain Security * CISO Strategy * Cyber Insurance * CISO Conversations * CISO Forum * ICS/OT * Industrial Cybersecurity * ICS Cybersecurity Conference * Funding/M&A * Cybersecurity Funding * M&A Tracker * Cybersecurity News * Webcasts * Virtual Events * ICS Cybersecurity Conference Connect with us * * * Hi, what are you looking for? SECURITYWEEK * Malware & Threats * Cyberwarfare * Cybercrime * Data Breaches * Fraud & Identity Theft * Nation-State * Ransomware * Vulnerabilities * Security Operations * Threat Intelligence * Incident Response * Tracking & Law Enforcement * Security Architecture * Application Security * Cloud Security * Endpoint Security * Identity & Access * IoT Security * Mobile & Wireless * Network Security * Risk Management * Cyber Insurance * Data Protection * Privacy & Compliance * Supply Chain Security * CISO Strategy * Cyber Insurance * CISO Conversations * CISO Forum * ICS/OT * Industrial Cybersecurity * ICS Cybersecurity Conference * Funding/M&A * Cybersecurity Funding * M&A Tracker CLOUD SECURITY RESEARCHERS FLAG ACCOUNT TAKEOVER FLAW IN MICROSOFT AZURE AD OAUTH APPS Businesses using ‘Log in with Microsoft’ could be exposed to privilege escalation and full account takeover exploits. By Ryan Naraine June 20, 2023 * * Flipboard Reddit Pinterest Whatsapp Whatsapp Email Researchers at security startup Descope have discovered a major misconfiguration in Microsoft Azure AD OAuth applications and warned that any business using ‘Log in with Microsoft’ could be exposed to full account takeover exploits. The security defect, nicknamed nOAuth, is described as an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications. According to an advisory documenting the issue, Descope noted that a malicious actor can modify email attributes in Microsoft Azure AD accounts and exploit the one-click “Log in with Microsoft” feature with the email address of any victim they want to impersonate. “In usual OAuth and OpenID Connect implementations, the user’s email address is used as the unique identifier by applications. However, in Microsoft Azure AD, the “email” claim returned is mutable and unverified so it cannot be trusted,” Descope explained. The company said the combined effect allows an attacker that created their Azure AD tenant to use “Log in with Microsoft” with a vulnerable app and a specially crafted “victim” user, resulting in a complete account takeover. Descope released a demo video showing the simplicity of potential exploitation. Descope, a startup in the customer identity space, reported the issue to Microsoft earlier this year and worked with Redmond on new mitigations to protect businesses from privilege escalation attacks. Microsoft described the issue as “an insecure anti-pattern used in Azure AD (AAD) applications” where use of the email claim from access tokens for authorization can lead to an escalation of privilege. Advertisement. Scroll to continue reading. “An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup,” Microsoft acknowledged. “Microsoft recommends never using the email claim for authorization purposes. If your application uses the email claim for authorization or primary user identification purposes, it is subject to account and privilege escalation attacks,” the software giant said. Microsoft is also urging developers to review the authorization business logic of their applications and follow documented guidance to protect applications from unauthorized access. Related: Descope Targets Customer Identity Market with Massive $53M Seed Round Related: Microsoft Warns of High-Severity Vulnerability in Azure AD Related: Microsoft Fixes Privilege Escalation Flaw in Azure AD Connect Related: Microsoft Patches Azure Cosmos DB Code Execution Flaw Written By Ryan Naraine Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. MORE FROM RYAN NARAINE * VMware Confirms Live Exploits Hitting Just-Patched Security Flaw * Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps * Russian APT Group Caught Hacking Roundcube Email Servers * Asus Patches Highly Critical WiFi Router Flaws * Content Moderation Tech Startup Trust Lab Snags $15M Investment * Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine * Microsoft Patches Critical Windows Vulns, Warns of Code Execution Risks * Patch Tuesday: Critical Flaws in Adobe Commerce Software LATEST NEWS * VMware Confirms Live Exploits Hitting Just-Patched Security Flaw * Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps * Russian APT Group Caught Hacking Roundcube Email Servers * Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack * OT:Icefall: Vulnerabilities Identified in Wago Controllers * New ‘RDStealer’ Malware Targets RDP Connections * Fulfilling Expected SEC Requirements for Cybersecurity Expertise at Board Level * Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack Click to comment TRENDING MOVEIT CUSTOMERS URGED TO PATCH THIRD CRITICAL VULNERABILITY ASUS PATCHES HIGHLY CRITICAL WIFI ROUTER FLAWS MICROSOFT SAYS EARLY JUNE DISRUPTIONS TO OUTLOOK, CLOUD PLATFORM, WERE CYBERATTACKS RESEARCHERS FLAG ACCOUNT TAKEOVER FLAW IN MICROSOFT AZURE AD OAUTH APPS A RUSSIAN RANSOMWARE GANG BREACHES THE ENERGY DEPARTMENT AND OTHER FEDERAL AGENCIES RUSSIAN APT GROUP CAUGHT HACKING ROUNDCUBE EMAIL SERVERS RANSOMWARE GROUP STARTS NAMING VICTIMS OF MOVEIT ZERO-DAY ATTACKS RANSOMWARE GANG TAKES CREDIT FOR FEBRUARY REDDIT HACK DAILY BRIEFING NEWSLETTER Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. VIRTUAL EVENT: THREAT DETECTION AND INCIDENT RESPONSE SUMMIT Wednesday, May 24, 2023 SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence. Register VIRTUAL EVENT: CISO FORUM VIRTUAL SUMMIT June 13-14, 2023 Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise. Register EXPERT INSIGHTS KEEP IT, TWEAK IT, TRASH IT – WHAT TO DO WITH AGING TECH IN AN ERA OF CONSOLIDATION Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less. (Matt Wilson) FOUR THINGS TO CONSIDER AS YOU MATURE YOUR THREAT INTEL PROGRAM If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process. (Marc Solomon) SOFTWARE SUPPLY CHAIN: THE GOLDEN CONTAINER SHIP By having a golden image you will put a process in place that allows you to quickly take action when a vulnerability is found within your organization. (Matt Honea) CONSOLIDATE VENDORS AND PRODUCTS FOR BETTER SECURITY Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a platform. (John Maddison) STAY FOCUSED ON WHAT’S IMPORTANT Staying the course and sticking to strategic goals allows security professionals to steadily and continually improve the security posture of their organization. (Joshua Goldfarb) * * Flipboard Reddit Pinterest Whatsapp Whatsapp Email RELATED CONTENT APPLICATION SECURITY SOURCE CODE SECURITY FIRM CYCODE LAUNCHES WITH $4.6 MILLION IN FUNDING Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding. Eduard KovacsSeptember 24, 2019 VULNERABILITIES FULL DISCLOSURE LIST GETS A FRESH START – REBORN UNDER NEW OPERATOR Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher... SecurityWeek NewsMarch 26, 2014 DATA BREACHES CHATGPT DATA BREACH CONFIRMED AS SECURITY FIRM WARNS OF VULNERABLE COMPONENT EXPLOITATION OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an... Eduard KovacsMarch 28, 2023 RISK MANAGEMENT CYBER INSIGHTS 2023 | SUPPLY CHAIN SECURITY The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be... Kevin TownsendFebruary 2, 2023 VULNERABILITIES CHROME 111 UPDATE PATCHES HIGH-SEVERITY VULNERABILITIES The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers. Ionut ArghireMarch 22, 2023 VULNERABILITIES MICROSOFT WARNS OF OUTLOOK ZERO-DAY EXPLOITATION, PATCHES 80 SECURITY VULNS Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane. Ryan NaraineMarch 14, 2023 VULNERABILITIES APPLE PATCHES ACTIVELY EXPLOITED WEBKIT ZERO-DAY VULNERABILITY Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529. Eduard KovacsFebruary 14, 2023 IOT SECURITY 16 CAR MAKERS AND THEIR VEHICLES HACKED VIA TELEMATICS, APIS, INFRASTRUCTURE A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car... Ionut ArghireJanuary 5, 2023 * * * POPULAR TOPICS * Cybersecurity News * Industrial Cybersecurity SECURITY COMMUNITY * Virtual Cybersecurity Events * Webcast Library * CISO Forum * ICS Cybersecurity Conference * Cybersecurity Newsletters STAY INTOUCH * Cyber Weapon Discussion Group * RSS Feed * Security Intelligence Group ABOUT SECURITYWEEK * Advertising * Event Sponsorships * Writing Opportunities * Feedback/Contact Us NEWS TIPS Got a confidential news tip? We want to hear from you. Submit Tip ADVERTISING Reach a large audience of enterprise cybersecurity professionals Contact Us DAILY BRIEFING NEWSLETTER Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox. * Privacy Policy Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved. Close