Cybersecurity researchers from SecureWorks Counter Threat Unit revealed a vulnerability in the algorithm of the Micro authorization algorithm Soft Entra ID (earlier known as Azure Active Directory). The defect allowed attackers to increase their system privileges.
The issue stemmed from an inactive Reply URL, which is the address to which the system redirects the user after identification. To successfully execute an attack of this kind, the victim needed to click on a pre-prepared malicious link. Upon clicking, instead of being sent to a legitimate URL, the authorization code would be sent to an inactive one.
“The attacker could use this URL to intercept authorization codes, exchanging them for access tokens,” explained the technical report. The report also mentioned that the attacker would most likely exploit the Power Platform API to expand their rights, and could gather information about the potential victim through the Azure Ad Graph API.
With the role of a system administrator, the attacker could easily remove specific components from the system, effectively excluding them.
During the period of growth in phishing attacks, which often exploit platforms such as Docusign, a popular electronic signature and document management platform, the vulnerability was discovered. This highlights the significance of the security issue for all online services. George Glass from Krolle commented, “By creating a premium URL to mimic a trusted website, the attacker can easily deceive the user.”
Upon discovering the vulnerability, Microsoft promptly began the process of eliminating it. A patch was released the very next day, on April 5, 2023. SecureWorks also developed an open tool to enable other organizations to scan their systems for similar vulnerabilities.