Descope Security Team Uncovers “nOAuth” Flaw in Microsoft Azure AD OAuth Applications

• The Descope security team has discovered a critical flaw, termed “nOAuth,” in Microsoft Azure AD OAuth applications, which allows attackers to take over accounts by exploiting mutable and unverified email claims.
• In response to the vulnerability, Microsoft is collaborating with Descope to introduce new claims that will enable apps to verify domain-verified email addresses and prevent the exploitation of unverified email domains.

The Descope security team has recently uncovered a significant security vulnerability in Microsoft Azure AD OAuth applications, which they have dubbed “nOAuth”. This term has been coined to denote an authentication implementation flaw, with a touch of wordplay.

nOAuth is an authentication implementation flaw that primarily affects Microsoft Azure AD multi-tenant OAuth applications. According to the OAuth specification, users should be uniquely identified by the “sub” (subject) claim. However, it has been common practice to use the “email” claim as an identifier, despite it not being a standard practice.

In the case of Microsoft Azure AD, the email claim is both mutable and unverified, which poses a security risk. Mutable email claims mean that bad actors can modify the email attribute under “Contact Information” in Azure AD accounts, thereby controlling the “email” claim in the returned identity JWT (JSON Web Token).

This flaw essentially allows an attacker to create an Azure AD tenant, use “Log in with Microsoft” with a vulnerable app, and specially craft a “victim” user, effectively leading to a complete account takeover.

The Descope security team identified this flaw and communicated it to Microsoft. Previously, Microsoft’s documentation advised against using email addresses as unique identifiers but did not provide robust guidance. Since being informed of the issue, Microsoft has revamped its documentation to include more stringent guidelines and dedicated sections on claim verification.

In a collaborative effort with Descope, Microsoft is also taking measures to introduce two new claims that will help mitigate instances when nOAuth is exploited for cross-tenant spoofing. These features will empower apps to verify if an email claim contains a domain-verified email address and to redact email claims when the email domain is not verified.

Impacted Parties and Potential Risks:

The Descope security team reached out to several large applications that were vulnerable to the nOAuth tactic. Among them were a design application with millions of monthly users, a publicly-traded customer experience company, and a leading multi-cloud consulting provider.