Microsoft recently addressed a security concern raised by Descope, a group of security researchers. The researchers discovered a potential attack route called “nOAuth” is present in certain applications that utilize the Azure Active Directory service.
The issue stemmed from a practice where application developers allowed the use of e-mail claims during authentication, which is not recommended. Azure AD relies on OAuth tokens and the OpenID Connect identity layer, but it had a flaw that made these e-mail claims “mutable” or changeable by attackers, according to Descope.
To exploit the nOAuth attack route, an attacker would first need to create an Azure AD tenant. The attacker the modifies the “Email attribute” associated with his account to match a victim’s email address. Then when prompted to authenticate, the attacker uses his account on his tenant. When the resulting token is used by the application, the email claim will match the victim’s email address, and if no additional validation is performed, the attacker will be able to authenticate as the victim in that application.
Descope promptly notified Microsoft about the issue and also reached out to application and web developers to raise awareness. However, given the vast number of applications on the internet, Descope acknowledged that there might still be some vulnerable apps that haven’t been identified.
The problem with Azure AD allowing mutable e-mail claims becomes more significant when identity providers enable application users to utilize various identity providers, which can be convenient for users who may forget which provider they used initially.
Descope provided an example of a user who signed up for an app using Facebook but later became inactive and forgot the identity provider used. If the user then tries to log in to the same app using “Log in with Microsoft,” the two provider accounts may be merged for accessing the app. However, if the application developer allowed e-mail claims, this is when an attacker could substitute their own e-mail claim.
The fundamental issue with Azure AD is that it permits unvalidated emails to be sent as claims, as highlighted by Descope. The researchers emphasized that the email claim in Microsoft Azure AD is both mutable and unverified, making it untrustworthy and unsuitable for use as an identifier.
Descope reported the Azure AD issue to Microsoft on April 11, 2023, and as a result, they received a bug bounty reward of $75,000. Microsoft subsequently provided guidance to application developers with vulnerable apps and implemented mitigations to protect customers from potentially vulnerable applications.
There are three main safeguards to mitigate this attack. First, and most important, always validate the issuer on tokens. The issuer will include the Azure Tenant ID which in the nOAuth attack won’t match the victim’s actual tenant. Second, always validate the audience claim. Third, always use the token subject claim for identity matching.
Optimal IdM always validates tokens this way, which is in line with Microsoft guidance, so this vulnerability does not affect the OptimalCloud or OFIS 4.1. This same flow applies to SAML2 as to OIDC. To learn more, contact us at info@optimalidm.com or visit us at www.optimalidm.com.
