Skip to content Skip to footer
0 items - $0.00 0
Menu

NOAuth: Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover by mooreds

0CommentsShare Post
NOAuth: Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover by mooreds
News

NOAuth: Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover by mooreds

June 22, 2023
0Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

This blog will cover how the Descope security team discovered a gray area in Microsoft Azure AD OAuth applications that could lead to full account takeover. We are naming this configuration issue “nOAuth” because even the bleakest of days has some room for wordplay. 

Reach out to our security team if you believe your app is vulnerable to nOAuth and need assistance. Read on to understand how this configuration issue arises, its impact, and suggested remediation steps.

Executive summary

  • nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.

  • According to the OAuth specification, the user is uniquely identified by the “sub” (subject) claim. Most IdPs provide the common (yet non-standard) “email” claim. Using the email claim as the user identifier becomes an issue when this claim is mutable, which is why most IdPs advise against using email as an identifier. In Microsoft Azure AD, the email claim is both mutable and unverified so it should never be trusted or used as an identifier.

  • A bad actor can change the Email attribute under “Contact Information” in the Azure AD account to control the “email” claim in the returned identity JWT. 

  • The combined effect of the points above allows an attacker that created their Azure AD tenant to use “Log in with Microsoft” with a vulnerable app and a specially crafted “victim” user, resulting in a complete account takeover.

  • Previous Microsoft documentation on this matter recommended not to use the email address as the unique identifier. We informed Microsoft of the issue and they have since then refactored their documentation, providing stronger guidance and dedicated sections on claim verification.

  • As part of Descope’s collaboration with Microsoft on addressing this issue, Microsoft is introducing two new claims to mitigate cases when nOAuth is used for cross-tenant spoofing. These features will enable apps to verify whether an email claim contains a domain-verified email address and redact email claims when the email domain is unverified.

  • We informed several large applications that were vulnerable to this tactic, including a design app with millions of monthly users, a publicly traded customer experience company, and a leading multi-cloud consulting provider.

  • We also informed two authentication platform providers that were merging user accounts when “Log in with Microsoft” was used on an existing user account. In this instance, merging the attacker account with a legitimate user account would hand full control over the user account to the attacker. As a result, all of their customers using “Log in with Microsoft” would have been vulnerable.

  • To discover if your app is vulnerable to this issue (and how to fix it), refer to the “Suggested remediation steps” section of this blog. 

Terms and concepts to know

Familiarity with the terms below will help you better understand the nOAuth configuration issue.

OAuth and OpenID Connect

Open Authorization (OAuth) is an open, token-based authorization framework that allows users to grant access to their private resources on one application to another application without giving away their identity details. For example, a Facebook user can authorize Medium to access their profile, read their posts, or post to their feed without having to give Medium their Facebook credentials.

OAuth example screenshot
Fig: OAuth in action

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows applications to verify users’ identities and obtain basic profile information. The protocol uses JSON Web Tokens (JWT) to securely transmit this information between parties.

In combination with OAuth, OIDC allows users to sign in to websites – using their Microsoft account, for example.

Identity Provider (IdP)

An Identity Provider (IdP) is used as an external source of truth for user identities. Okta, Google, Twitter, and Azure AD are a few popular identity providers.

For the “Open” concept in OAuth and OIDC to work, the authentication is based on pre-established trust with the IdP. When the IdP cannot be trusted with the identity information they provide – or when an application bases the user’s identity on a claim that the IdP says is mutable – the whole system fails.

Azure Active Directory (Azure AD)

Azure AD is a cloud-based identity and access management service. Azure AD manages user access to external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications using OAuth apps. Azure Active Directory also manages internal resources

Read More

Tags:
0Likes
Leave a comment

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.