Microsoft has admitted that a vulnerability has been discovered in its Azure Active Directory (AD) Open Authorization (OAuth) process which facilitates hackers a complete account takeover. Researchers from Descope, a California-based identity and access management service, have reported the vulnerability and named it ‘NoAuth.’ During April 2023, Descope’s Chief Security Officer, Omer Cohen, described NoAuth as ‘an authentication implementation flaw that primarily affects multi-tenant OAuth applications within Microsoft Azure AD.’
The misconfiguration related to the modification of email attributes under the “Contact Information” section in Azure AD accounts. Exploiting the “Log in with Microsoft” feature, malicious actors could compromise victim accounts. To leverage the “Log in with Microsoft” option for authorization on the vulnerable app or website, an attacker merely needed to modify their Azure AD admin account’s email address to the victim’s address associated with the Azure AD admin account to the victim’s email address.