The path from hacker to master of the system is one click long.
Cybersecurity researchers from the Secureworks Counter Threat Unit have identified a vulnerability in the Microsoft Entra ID authorization algorithm (formerly known as Azure Active Directory). The flaw allowed attackers to increase their system privileges.
The problem was an inactive Reply URL, i.e. the address to which the user is redirected by the system after identification. For a successful attack of this kind, the victim needs to click on a pre-prepared malicious link. After clicking the authorization code, the authorization code is sent to an inactive URL instead of a legitimate one.
"An attacker could use this URL to intercept authorization codes, exchanging them for access tokens," Secureworks said in a technical report. The report clarifies that an attacker would most likely have accessed the Power Platform API, thus expanding their rights. You can collect information about a potential victim using the Azure AD Graph API.
Given the role of system administrator, it would be easy for a hacker to delete a specific environment in the system (completely exclude any module).
The server sends a special code or token to the site specified by the administrator. This is why it is so important to set up this address correctly at the development stage.
After the defect was discovered on April 5, 2023, Microsoft immediately started to fix it. A patch was released the very next day. Secureworks has also developed an open source tool that allows other organizations to scan their systems for similar vulnerabilities.
The discovery of the vulnerability coincided with a period of growth in phishing attacks, which often use DocuSign — a popular platform for electronic signature and document management. This highlights the urgency of the security issue for all online services. "By creating a spoof URL to mimic a trusted website, an attacker can easily mislead the user," says George Glass of Kroll.
Cybersecurity researchers from the Secureworks Counter Threat Unit have identified a vulnerability in the Microsoft Entra ID authorization algorithm (formerly known as Azure Active Directory). The flaw allowed attackers to increase their system privileges.
The problem was an inactive Reply URL, i.e. the address to which the user is redirected by the system after identification. For a successful attack of this kind, the victim needs to click on a pre-prepared malicious link. After clicking the authorization code, the authorization code is sent to an inactive URL instead of a legitimate one.
"An attacker could use this URL to intercept authorization codes, exchanging them for access tokens," Secureworks said in a technical report. The report clarifies that an attacker would most likely have accessed the Power Platform API, thus expanding their rights. You can collect information about a potential victim using the Azure AD Graph API.
Given the role of system administrator, it would be easy for a hacker to delete a specific environment in the system (completely exclude any module).
The server sends a special code or token to the site specified by the administrator. This is why it is so important to set up this address correctly at the development stage.
After the defect was discovered on April 5, 2023, Microsoft immediately started to fix it. A patch was released the very next day. Secureworks has also developed an open source tool that allows other organizations to scan their systems for similar vulnerabilities.
The discovery of the vulnerability coincided with a period of growth in phishing attacks, which often use DocuSign — a popular platform for electronic signature and document management. This highlights the urgency of the security issue for all online services. "By creating a spoof URL to mimic a trusted website, an attacker can easily mislead the user," says George Glass of Kroll.
