HTMD Community | Latest Azure AD Authentication Flaw is FIXED by Microsoft @htmdcommunity | Uploaded 1 year ago | Updated 1 day ago
Microsoft warns about a potential risk of privilege escalation in Azure AD applications that use the email claim for authorization.
As per Microsoft,
Using the email claim for authorization in Azure AD applications is an insecure anti-pattern that can lead to an escalation of privilege or data leakage.
Microsoft has deployed mitigations to omit token claims from unverified domain owners for most applications. Still, developers should review their application source code and follow the guidance to migrate away from email claim usage.
Descope is credited for discovering and reporting this issue to Microsoft.
According to the blog post, if your app uses “Log in with Microsoft” and uses the email address as a unique identifier for the user, it may be vulnerable to OAuth.
It suggests using the “sub” (Subject) claim as the unique identifier for the user instead of the email claim.
According to the blog post, Microsoft has introduced two new claims to help prevent nOAuth from being used against apps.
The first claim is xms_edov [Email Domain Owner Verified], which is an optional claim that indicates whether an email claim contains a domain-verified email address.
The second claim is RemoveUnverifiedEmailClaim, which is an authentication behavior flag that can redact email claims when the domain for the email is unverified.
#azuread #security #emailclaim #howtomanagedevices #nOAuth #AADApplication #AADSecurity
#vulnerability #fixed
==
Links
Potential Risk of Privilege Escalation in Azure AD Applications - https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/
nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover - https://www.descope.com/blog/post/noauth
Microsoft warns about a potential risk of privilege escalation in Azure AD applications that use the email claim for authorization.
As per Microsoft,
Using the email claim for authorization in Azure AD applications is an insecure anti-pattern that can lead to an escalation of privilege or data leakage.
Microsoft has deployed mitigations to omit token claims from unverified domain owners for most applications. Still, developers should review their application source code and follow the guidance to migrate away from email claim usage.
Descope is credited for discovering and reporting this issue to Microsoft.
According to the blog post, if your app uses “Log in with Microsoft” and uses the email address as a unique identifier for the user, it may be vulnerable to OAuth.
It suggests using the “sub” (Subject) claim as the unique identifier for the user instead of the email claim.
According to the blog post, Microsoft has introduced two new claims to help prevent nOAuth from being used against apps.
The first claim is xms_edov [Email Domain Owner Verified], which is an optional claim that indicates whether an email claim contains a domain-verified email address.
The second claim is RemoveUnverifiedEmailClaim, which is an authentication behavior flag that can redact email claims when the domain for the email is unverified.
#azuread #security #emailclaim #howtomanagedevices #nOAuth #AADApplication #AADSecurity
#vulnerability #fixed
==
Links
Potential Risk of Privilege Escalation in Azure AD Applications - https://msrc.microsoft.com/blog/2023/06/potential-risk-of-privilege-escalation-in-azure-ad-applications/
nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover - https://www.descope.com/blog/post/noauth
