nOAuth: Account Takeover via Microsoft Oauth

Bibek Shah
3 min readOct 2, 2023

Hi everyone, I want to share a cool and easy account takeover I recently found. I was able to perform a full account takeover via Sign In with the Microsoft feature. I hope you will learn something new in this one :)

The website had different ways to sign in using email, and Oauth providers like Google, Microsoft and Apple. There was recently a Misconfiguration discovered by Descope in Microsoft which can be found here. So, My target also had the Sign in Microsoft feature therefore I decided to test the nOauth vulnerability.

Prerequisites for attack

To test this vulnerability, the Attacker needs to create a Tenant organization in their Microsoft portal, which is free to create.

  1. Go to your Azure portal and search for Azure Active Directory

2. Click on Create New Tenant and choose Tenant type Azure Active Directory

3. Give it some name and click on review and create, after that it will give you a captcha, solve it and it will take roughly a minute to create.

4. Now you have created a Tenant, Click on Add > User > Create a new user.

5. Fill details and make sure you remember the password.

6. Click on the User section from left to show your created user.

7. Now click on user you created, go to properties section and change email from contacts and click on save. Enter your victim email there, it can be any email.

Now that all prerequisites required for the attack are completed, you can test sites for nOauth vulnerability.

Misconfiguration Takeover Testing Scenario

Victim: Sign up using the victim's email on the website using any sign options and verify the account if required.

Attacker:

  1. Choose to sign in with Microsoft and use the email and password from the account you created above.

2. Enter the details we created above in the Microsoft account login process and If this website is vulnerable you will get logged into the Victim account.

Simple, yet Critical leading to Account Takeover.

POC:

The company did not allow me to make it public ¯\_(ツ)_/¯. I will make sure to add it if any of them agree.

Why this happens:

Vulnerable sites use claims like email and preferred username which Microsoft warns not to use.

Thanks for making it to the end. I hope you enjoyed this write-up.

If you have any questions, please DM me on Twitter.

--

--