OAuth vulnerability threatens Azure accounts
There is a vulnerability
in specific Microsoft OAuth 2.0 applications that could let an attacker gain access
and control of a victim’s Azure account.
The flaw was
found by Cyberark researchers who noticed that many white-listed OAuth applications,
at least 54, automatically trust domains and sub-domains that are not
registered by Microsoft so anyone can do so. These apps are essentially given “approved”
status by default and can ask for an access_token.
“The
combination of these two factors makes it possible to produce an action with
the user’s permissions – including gaining access to Azure resources, AD
resources and more,” a Cyberark
report stated
To initiate
a takeover an attacker would have to convince the target to click on a link or
visit a compromised website. From here there are two paths an attacker can take
to gain control.
The link clicking
method sees the creation of a crafted link for Microsoft OAuth Web flow with
the vulnerable Microsoft applications; then sets the application_id to match
the vulnerable OAuth application; followed by setting the redirect_uri param to
the controlled white-listed domains. The attacker than changes the resource to
the one he wants to get access to on behalf of the user.
When the
victim clicks on the crafted link and microsoftonline.com redirects him to the
attacker’s domain with the access token and the Javascript running in the
domain sends API requests with the stolen access token.
To steps involved
when using a malicious website is basically the same, but with a few added
steps. After setting the redirect_uri parameter to the controlled, white-listed
domains the threat actor sets the resource parameter to the desired resource
that he wants to get access to on behalf of the user.
The attacker
than places an iframe in a website with the src attribute set to the crafted
link so when the victim browses through the ifram redirects the person to the
attacker’s fake website with the newly created access token. Then, as with the
link method, the Javascript running in the domain sends API requests with the
stolen access token.
“While OAuth
2.0 is an excellent solution for authorization, if misused or misconfigured, it
could have a tremendous impact, allowing for over-privileged third-party
applications or the eventual account takeover by malicious attackers,” Cyberark
said.
The company has
a free and automatic scanning tool for anyone to discover similar vulnerable
applications in their Azure environment at https://black.direct/
Cyberark also
has several recommendations to mitigate the vulnerability.
- Make
sure that all the trusted redirect URIs configured in the application are under
your ownership. - Remove
unnecessary redirect URIs. - Make
sure the permissions that the OAuth application asks for are the least
privileged one it needs. - Disable
non-used applications.
Gloss