A critical vulnerability was found in Microsoft Azure by security analysts from CyberArk.
The vulnerability, named BlackDirect, provides hackers with the ability to take control over Azure user accounts. It has a specific impact on OAuth 2.0 applications, forcing the applications to allow malicious attackers into an Azure account and use permission from the victim to create the Token.
OAuth is one of the most common authorization protocols, allowing end-users to give applications or websites access to their information. The majority of companies use OAuth to allow their users to share account information with third-party apps and OAuth 2.0 is the next-gen protocol, allowing third-party apps to let HTTP services have limited access.
The BlackDirect Flaw
CyberArk say that anyone can register to an OAuth application because they trust both domains and sub-domains not register with Microsoft. According to researchers, this makes it very simple to get user permissions to access Active Directory and Azure resources.
The impact of the attack may be one of the most powerful yet. If the BlackDirect vulnerability is exploited, it could result in theft of sensitive data, data manipulation, production servers being compromised and organizational data being encrypted with ransomware.
The researchers said. “If an attacker gains control of the domains and URLs Microsoft trusts, Microsoft’s published applications makes it possible for the attacker to lead victims to automatically generate access tokens with their permissions. All the attacker must do is get their victims to click on a link or visit a compromised website, which can be done easily with simple social engineering techniques.”
CyberArk has come up with a few ways that risks can be mitigated and vulnerabilities prevented:
- Unnecessary redirects should be removed
- All trusted redirect URIs configured are under organizational ownership
- Ensure the permissions the OAuth app requests are the very least privileged ones it requires
- Disable any non-used applications
It seems that every day we hear of a new attack on Microsoft services. Either they are a prime target and hackers make it their business to get in or Microsoft is leaving far too many vulnerabilities.
What do you think?