A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process could have been exploited to achieve full account takeover, researchers said.
California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth.
“nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications,” Omer Cohen, chief security officer at Descope, said.
The misconfiguration has to do with how a malicious actor can modify email attributes under “Contact Information” in the Azure AD account and exploit the “Log in with Microsoft” feature to hijack a victim account.
images from Hacker News