image credit: Unsplash

Critical ‘nOAuth’ Flaw in Microsoft Azure AD Enabled Complete Account Takeover

June 21, 2023

A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been exploited to achieve full account takeover, researchers said.

California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth.

“nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications,” Omer Cohen, chief security officer at Descope, said.

The misconfiguration has to do with how a malicious actor can modify email attributes under “Contact Information” in the Azure AD account and exploit the “Log in with Microsoft” feature to hijack a victim account.

Read More on The Hacker News