Suspect that Domain whitelist accept “WILDCARD” domain feature causes 3rd party takeover Azure user account.

Preface: The OAuth 2.0 Authorization Framework (RFC 6749, October 2012)

Technical background: In the traditional Client-Server architecture, when the Client wants to fetch the protected resources (Protected Resoruce), it is necessary to present the account and password of the user (Resource Owner) to the Server. OAuth introduces an authentication layerThe Client will get an Access Token to access Protected Resources instead of using the account password of the Resource Owner. An Access Token is a string that records information about a specific scope of access, timeliness, and more.

Vulnerability details: The details of the vulnerability shown on attached diagram. But the root cause of this design weakness perhaps not limited to CyberArk researchers discovery. Azure trust certain third-party domains and sub-domains. Can you imagine that the problem may be involved wildcard domain included in whitelist?

Focus: Heard that Microsoft didn’t issue a CVE because the bug is located only in their Online Service. Strange!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.