If you are a cybersecurity enthusiast, then you must have heard of the recent insecure anti-pattern found in Azure AD applications. Thanks to Descope’s vigilant reporting, Microsoft is now on the ball, developing mitigations for this security issue. It’s a reminder that even the smallest overlook can potentially create a loophole big enough for unauthorized access and data leakage. Buckle up, we’re about to dive into the details!
The Risk with Email Claim
Email claims from access tokens have been a handy tool for authorization. However, it appears that using them can potentially lead to an escalation of privilege. An attacker, with just the right know-how, can falsify the email claim in tokens issued to applications. This, in turn, can result in significant threats of data leakage if applications use such claims for email lookup.
Therefore, Microsoft suggests taking a backseat with email claims when it comes to authorization. In fact, if you’ve been using the email claim for authorization or primary user identification, your application may be at risk of account and privilege escalation attacks.
The Developer’s Defense
Microsoft is encouraging developers to review their application’s authorization business logic. This step will protect applications from unauthorized access. Microsoft has also put together some best practices for token validation on their identity platform. These should be followed religiously to ensure safety. And if you’re using third-party applications, it’s best to confirm that your vendors also stick to these practices.
Keeping a Check on your Application’s Source Code
It’s crucial to regularly review your application’s source code. Specifically, look for places where emails might be used for primary user identification or authorization. These practices expose your application to the risk of account escalation attacks.
How Are the Customers Affected?
Microsoft has been proactive, identifying several multi-tenant applications with users using an unverified domain owner email address. Application owners have been notified and provided with guidance. However, if you didn’t receive any notification, your application is likely safe from consuming email claims with unverified domain owners. In the interest of further security, Microsoft is omitting token claims from unverified domain owners.
The Technical Gritty-Gritty
The vulnerability stems from AAD users who do not have a provisioned mailbox. Their Mail attribute can be any email address, which isn’t necessarily from a verified email. If a rogue admin within a single tenant app modifies an AAD user with an impersonated email, and an application uses that unverified email claim for authorization, we’re looking at potential unauthorized access. The risk magnifies with multi-tenant applications.
Securing Azure AD Applications
Applications should abandon the usage of email claims for authorization due to their mutable nature and non-uniqueness. Microsoft recommends going through the documentation providing guidance on migrating away from email claim usage. Developers should religiously follow the best practices for claims-based authorization, especially if your application is currently affected.
