Microsoft Entra ID Could Redirect Authorization Codes to Cyber Criminals

Researchers have revealed privilege escalation related to a Microsoft Entra ID application. This came about due to the exploitation of an abandoned reply URL.

To put simply

• In simpler terms, bad actors could use this discarded URL to redirect authorisation codes to themselves. 
• When acquired illicitly, these codes could be exchanged for access tokens, granting the attackers greater privileges. 
• This would enable them to interact with the Power Platform API via an intermediary service and gain higher-level access.

Responsible companies act swiftly

Microsoft acted swiftly by addressing the issue in an update released shortly after responsible disclosure was made on April 5, 2023. In addition, Secureworks has shared a tool that other organizations can employ to scan for abandoned reply URLs.

The authorisation server sends users a “reply URL” or “redirect URI” after the app obtains an authorization code or access token. Microsoft says, “It’s crucial to register the correct location during the app registration process.”

The Azure AD IR PowerShell module will help you too, this will extract configuration information and other useful forensic data about your tenant. It was co-written by the Microsoft Entra ID and Microsoft IR teams – https://t.co/F179nguz7t

— Matt Zorich (@reprise_99) August 23, 2023

Secureworks Analysis 

Secureworks’ Counter Threat Unit (CTU) revealed they uncovered an abandoned Dynamics Data Integration app’s reply URL linked to an Azure Traffic Manager profile. This enabled manipulating the Power Platform API through a middle-tier service, allowing for tampering with environment settings.

This vulnerability could have been exploited in a hypothetical attack scenario to gain control over a service principal’s system administrator role. 

This could then lead to actions like requesting the deletion of an environment or using the Azure AD Graph API to gather information about a target for further attacks.

This exploit relies on a victim falling for a malicious link. If successful, the authorization code issued by Microsoft Entra ID upon login would be diverted to a redirect URL controlled by the malicious actor.

Be cautious and curious!

Talking about innovation and security, a new awareness emerges that emphasizes the technical and the human element. Your choices, trust in apparently trustworthy links, and diligence in following best practices are all vital components of cybersecurity. 

As we strive for digital progress, we must also cultivate a culture of cautious curiosity, where an understanding of potential risks balances the willingness to explore.