This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
Complete Story
07/11/2023
Microsoft Fixes NoAuth Flaws, Prevents Account Takeover
Security Boulevard
Microsoft has admitted that a vulnerability has been discovered in its Azure Active Directory (AD) Open Authorization (OAuth) process which facilitates hackers a complete account takeover. Researchers from Descope, a California-based identity and access management service, have reported the vulnerability and named it ‘NoAuth.’ During April 2023, Descope’s Chief Security Officer, Omer Cohen, described NoAuth as ‘an authentication implementation flaw that primarily affects multi-tenant OAuth applications within Microsoft Azure AD.’
The misconfiguration related to the modification of email attributes under the “Contact Information” section in Azure AD accounts. Exploiting the “Log in with Microsoft” feature, malicious actors could compromise victim accounts. To leverage the “Log in with Microsoft” option for authorization on the vulnerable app or website, an attacker merely needed to modify their Azure AD admin account’s email address to the victim’s address associated with the Azure AD admin account to the victim’s email address.
Alerts
The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.
more information
Resources
Your electronic library to help in fighting financial fraud for all of our partners.
more information