Microsoft Fixes Flaw Threatening Azure AccountsMicrosoft Fixes Flaw Threatening Azure Accounts
Researchers detail a bug they found in some of Microsoft's OAuth 2.0 applications.
December 3, 2019
Researchers from CyberArk today outlined a vulnerability they discovered this fall in some Microsoft OAuth 2.0 applications that could allow an attacker to hijack Azure accounts. Microsoft fixed the flaw late last month.
The weaknesses lie in OAuth settings in Microsoft's Portfolios, O365 Secure Score, and Microsoft Service Trust applications, and could be abused by an attacker to grab admin accounts and basically "own" Azure accounts. OAuth is a popular authorization protocol that allows users to share information about their accounts among third-party applications and websites.
"The OAuth applications trust domains and sub-domains are not registered by Microsoft, so they can be registered by anyone (including an attacker). These apps are approved by default and are allowed to ask for 'access_token,'" CyberArk said in a blog post about the vuln. "The combination of these two factors makes it possible to produce an action with the user's permissions – including gaining access to Azure resources, AD resources and more."
Read more here.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023