Critical nOAuth Flaw in Microsoft Azure AD Enabled Complete Account Takeover


According to researchers, a security flaw in the Open Authorization (OAuth) procedure used by Microsoft Azure Active Directory (AD) might have been used to completely take control of an account. The problem, known as nOAuth, was found and reported in April 2023 by the California-based identity and access management provider Descope.

According to Omer Cohen, chief security officer at Descope, nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications.x000D The configuration error relates to how a malicious actor can alter email properties under Contact Information in the Azure AD account and use the Log in with Microsoft feature to hijack a victim account.

Read More…