Total account takeover possible with Microsoft Azure AD flaw

Threat actors could exploit a vulnerability in Microsoft Azure Active Directory's Open Authorization process dubbed "nOAuth" to facilitate complete account takeovers, reports The Hacker News. Such an authentication implementation bug, which was identified and reported by Descope, stems from a misconfiguration enabling email attribute modifications in Azure AD's "Contact information," as well as the abuse of the "Log in with Microsoft" functionality for account hijacking, said Descope Chief Security Officer Omer Cohen. "If the app merges user accounts without validation, the attacker now has full control over the victim's account, even if the victim doesn't have a Microsoft account," Cohen added. Meanwhile, Microsoft has regarded the vulnerability as an "insecure anti-pattern." "An attacker can falsify the email claim in tokens issued to applications. Additionally, the threat of data leakage exists if applications use such claims for email lookup," said Microsoft, which has already alerted multi-tenant apps which have users whose email addresses do not have verified domain owners.