{"id":32211,"date":"2019-12-04T23:47:09","date_gmt":"2019-12-04T23:47:09","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/30736\/OAuth-Vulnerability-Threatens-Azure-Accounts.html"},"modified":"2019-12-04T23:47:09","modified_gmt":"2019-12-04T23:47:09","slug":"oauth-vulnerability-threatens-azure-accounts","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/oauth-vulnerability-threatens-azure-accounts\/","title":{"rendered":"OAuth Vulnerability Threatens Azure Accounts"},"content":{"rendered":"
<\/div>\n
\n

There is a vulnerability in specific Microsoft OAuth 2.0 applications that could let an attacker gain access and control of a victim\u2019s Azure account.<\/p>\n

The flaw was found by Cyberark researchers who noticed that many white-listed OAuth applications, at least 54, automatically trust domains and sub-domains that are not registered by Microsoft so anyone can do so. These apps are essentially given \u201capproved\u201d status by default and can ask for an access_token.<\/p>\n

\u201cThe combination of these two factors makes it possible to produce an action with the user\u2019s permissions \u2013 including gaining access to Azure resources, AD resources and more,\u201d a Cyberark report stated<\/a><\/p>\n

To initiate a takeover an attacker would have to convince the target to click on a link or visit a compromised website. From here there are two paths an attacker can take to gain control.<\/p>\n

The link clicking method sees the creation of a crafted link for Microsoft OAuth Web flow with the vulnerable Microsoft applications; then sets the application_id to match the vulnerable OAuth application; followed by setting the redirect_uri param to the controlled white-listed domains. The attacker than changes the resource to the one he wants to get access to on behalf of the user.<\/p>\n

When the victim clicks on the crafted link and microsoftonline.com redirects him to the attacker\u2019s domain with the access token and the Javascript running in the domain sends API requests with the stolen access token.<\/p>\n

To steps involved when using a malicious website is basically the same, but with a few added steps. After setting the redirect_uri parameter to the controlled, white-listed domains the threat actor sets the resource parameter to the desired resource that he wants to get access to on behalf of the user.<\/p>\n

The attacker than places an iframe in a website with the src attribute set to the crafted link so when the victim browses through the ifram redirects the person to the attacker\u2019s fake website with the newly created access token. Then, as with the link method, the Javascript running in the domain sends API requests with the stolen access token.<\/p>\n

\u201cWhile OAuth 2.0 is an excellent solution for authorization, if misused or misconfigured, it could have a tremendous impact, allowing for over-privileged third-party applications or the eventual account takeover by malicious attackers,\u201d Cyberark said.<\/p>\n

The company has a free and automatic scanning tool for anyone to discover similar vulnerable applications in their Azure environment at https:\/\/black.direct\/<\/a><\/p>\n

Cyberark also has several recommendations to mitigate the vulnerability.<\/p>\n