Security researchers from the Israeli company CyberArk discovered a vulnerability in the Microsoft authorization system, which allows hacking accounts.This vulnerability is located in the Microsoft Azure cloud service. The problem affects certain applications that use the Microsoft OAuth 2.0 authorization protocol, and its operation allows creating tokens for entering the system.
In this way, attackers can take control of victims’ accounts and act on their behalf.
“The OAuth applications trust domains and sub-domains are not registered by Microsoft, so they can be registered by anyone (including an attacker). These apps are approved by default and are allowed to ask for “access_token.” The combination of these two factors makes it possible to produce an action with the user’s permissions – including gaining access to Azure resources, AD resources and more.”, — write CyberArk experts.
What is OAuth?
OAuth is an authentication protocol that is typically used by end users to provide websites or applications access to their information from other websites without providing the secrets or passwords of websites or applications. It is widely used by many companies to provide users with the ability to exchange information and data about their accounts with third-party applications or websites.
“The protocol itself is well built and secured, but a wrong implementation or inappropriate usage and configuration can have a colossal impact. During the authorization process, the third-party company or application gets a token with specific permissions to take actions on behalf of the user to whom the token belongs”, — report CyberArk researchers.
Experts have discovered several Azure applications released by Microsoft that are vulnerable to this type of attack. If an attacker gains control of domains and URLs that are trusted by Microsoft, these applications will allow him to trick the victim into automatically generating access tokens with user permissions.
It is enough for the criminal to use simple methods of social engineering to force the victim to click on the link or go to a malicious website. In some cases, an attack can be carried out without user interaction. A malicious web site that hides the embedded page may automatically trigger a request to steal a token from a user account.
Such applications have an advantage over others, as they are automatically approved in any Microsoft account and therefore do not require user consent to create tokens. Programs cannot be removed from the approved applications portal, and some may not be displayed at all.
To mitigate risk and prevent these vulnerabilities, you can do the following:
- Make sure that all the trusted redirect URIs configured in the application are under your ownership.
- Remove unnecessary redirect URIs.
- Make sure the permissions that the OAuth application asks for are the least privileged one it needs.
- Disable non-used applications.
However, CyberArk experts reported about a vulnerability in Microsoft at the end of October, and the company fixed it three weeks later.