Microsoft patches NoAuth vulnerability, blocking account takeover attacks

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

As reported by Security Boulevard, a vulnerability has been discovered in the Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process that could allow hackers to take complete control of user accounts.

The vulnerability, dubbed “NoAuth” by researchers from Descope, a California-based identity and access management service, affects multi-tenant OAuth applications within Azure AD. NoAuth is an authentication implementation flaw that allows attackers to modify the email attribute under the “Contact Information” section in Azure AD accounts. By exploiting the “Log in with Microsoft” feature, malicious actors can then compromise victim accounts.

To exploit NoAuth, an attacker would first need to create an Azure AD admin account. They would then modify the email address associated with this account to match the email address of the victim they want to target.

Once the attacker has modified the email address, they can then use the “Log in with Microsoft” feature to log in to any vulnerable application or website as the victim. This would give the attacker full control of the victim’s account, including access to their data and passwords.

Terms you should know to understand NoAuth better

OpenID Connect (OIDC)

OpenID Connect (OIDC) is an open authentication protocol that builds on the OAuth 2.0 architecture. OIDC is designed to be used by consumer-facing applications, and it allows users to access multiple websites with just one sign-on (SSO).

Azure Active Directory (Azure AD)

Azure Active Directory (Azure AD) is a cloud-based identity and access management (IAM) service that helps organizations manage user access to applications and resources. Azure AD uses OAuth 2.0 and OpenID Connect (OIDC) to provide a secure and convenient way for users to sign in to applications and websites.

Identity Provider (IdP)

Identity providers (IdPs) are a critical part of the OAuth and OIDC authentication process. An IdP is a trusted third party that stores and verifies user identities. When a user signs in to an application or website that uses OAuth or OIDC, the application or website redirects the user to the IdP’s login page. The IdP then validates the user’s credentials and, if successful, issues an access token to the application or website. The application or website can then use the access token to access the user’s protected resources.

Open Authorization (OAuth)

Open Authorization (OAuth) is an open, token-based authorization framework that allows users to grant access to their private resources to third-party applications without sharing their passwords or other sensitive information. For example, a Facebook user can authorize Medium to access their profile, read their posts, or post to their feed without having to provide Medium with their Facebook login information.