Microsoft Patches Critical ‘nOAuth’ Flaw in Azure AD Apps

Microsoft has patched a new security vulnerability that was discovered in some applications leveraging Azure Active Directory (recently renamed Microsoft Entra ID). The authentication bypass flaw could allow threat actors to completely take over the victim’s account.

The security vulnerability, dubbed nOAuth, was first discovered by the security researchers at Descope. It lets threat actors modify email attributes in Azure AD accounts and abuse the “Log in with Microsoft” feature for authorization on the website or application. This could allow hackers to hijack the target account, establish persistence, and explore lateral movement.

“If the app merges user accounts without validation, the attacker now has full control over the victim’s account, even if the victim doesn’t have a Microsoft account,” Descope explained. “After successful login, the attacker has an open field depending on the nature of the app or site they have taken over. They can establish persistence, exfiltrate data, explore if lateral movement is possible, and so on.”

You can see how the potential exploitation works in the video below:

How to protect Azure AD apps against ‘nOAuth’ Attacks

The Descope security team reported the Azure AD authentication bypass vulnerability to Microsoft in April and won a $75,000 bug bounty. The company has since deployed mitigations to protect customers against nOAuth attacks.

Microsoft has since published guidance to help developers address the flaw in vulnerable apps. The company highly recommends that email claims should not be used for primary user identification purposes or authorization purposes. Microsoft suggests developers to follow best practices for token validation. Finally, developers should review the app’s source code for incorrect authorization patterns.