Go to listing page

Microsoft Fixes a Flaw with Third-Party Authentication

Microsoft Fixes a Flaw with Third-Party Authentication
  • Microsoft applications are widely used in enterprises and a security flaw in them can potentially affect a lot of organizations across the globe.
  • The team at Microsoft recently patched an authentication issue that could have allowed a complete take over of vulnerable Azure cloud accounts.

Details of the flaw

OAuth is a standard protocol that allows users to share data with other applications without having to enter their credentials every time. This particular flaw was in the way the Microsoft applications used OAuth to authenticate third-party applications.

  • The OAuth 2.0 flow in Microsoft applications allowed the applications to trust domains and sub-domains that are not registered by Microsoft.
  • Three applications—Portfolios, Office 365 Secure Score, and Microsoft Trust Service— were found to be trusting the unregistered domains and sub-domains.

“By doing nothing more than clicking or visiting a website, the victim can experience the theft of sensitive data, compromised production servers, lost data, manipulation of data, encryption of all the organization’s data with ransomware and more,” said Omer Tsarfati, researcher at CyberArk.

The attack

With some of Microsoft’s whitelisted URLs not a part of the previously registered Azure directory, attackers can take advantage by taking over these domains and registering them.

  • These domains would be auto-approved, allowing attackers access to request for user tokens.
  • With these tokens, attackers would be able to perform actions at the user level.
  • In case the victim is an admin, attackers would be able to perform a number of high-level operations as well.

More details

This flaw has not been assigned a CVE because it was only in Microsoft’s Online Service. It was discovered on October 29 this year and a patch was made available on November 19.

“We resolved the issue with the applications mentioned in this report in November and customers remain protected,” a Microsoft spokesperson was reported to have told Threatpost.

Cyware Publisher