Security analysts from cybersecurity firm CyberArk recently found a critical vulnerability in Microsoft Azure that allows attackers to take control over Microsoft Azure user accounts.
The vulnerability, dubbed as BlackDirect, specifically impacts Microsoft’s OAuth 2.0 applications, according to researchers. It’s said that Microsoft’s OAuth 2.0 applications allegedly allow malicious attackers to access and control a victim’s Azure account and create the Token with the victim’s permissions.
About OAuth
OAuth is a commonly used protocol for authorization for end-users to grant websites or applications access to their information. Most companies use OAuth to permit users to share information about their accounts with third-party applications.
OAuth 2.0 is the next generation of the OAuth protocol that allows third-party applications to grant limited access to an HTTP service.
The BlackDirect Vulnerability
According to CyberArk, anyone can be registered to OAuth applications, as they trust domains and sub-domains that are not registered on Microsoft. Researchers found that this factor makes it possible to get the user’s permission, including gaining access to Azure resources, and Active Directory resources.
Researchers stated that the impact of the BlackDirect vulnerability attack can be very powerful. If exploited, the victim might suffer theft of sensitive data, compromised production servers, manipulation of data, and encryption of all the organization’s data with ransomware.
“If an attacker gains control of the domains and URLs Microsoft trusts, Microsoft’s published applications makes it possible for the attacker to lead victims to automatically generate access tokens with their permissions. All the attacker must do is get their victims to click on a link or visit a compromised website, which can be done easily with simple social engineering techniques,” the researchers stated.
Mitigating Risks
CyberArk also listed a few steps to mitigate risks and prevent vulnerabilities, which include:
- Removing unnecessary redirect.
- Make sure that all the trusted redirect URIs configured in the application are under your ownership.
- Make sure the permissions that the OAuth application asks for are the least privileged one it needs.
- Disabling non-used applications.