An Azure Active Directory (AD) app with an abandoned reply URL address was recently observed, a situation that could let an attacker leverage the abandoned URL to redirect authorization codes to themselves, exchanging the fraudulently obtained authorization codes for access tokens.
In a blog post Aug. 24 the Secureworks Counter Threat Unit (CTU) said a threat actor could potentially then call Microsoft’s Power Platform API via a middle-tier service and obtain elevated privileges to launch attacks.
The CTU researchers reported the issue to Microsoft at the beginning of April. They said Microsoft quickly confirmed privilege escalation was possible and assigned a critical severity rating. Within 24 hours of CTU notification, Microsoft removed the abandoned reply URL from the Azure AD app.
According to Microsoft, a redirect URI or reply URL is the location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server then sends the code or token to the redirect URI, so Microsoft advises security teams to register the correct location as part of the app registration process.
The CTU researchers said they have no evidence that the issues around the specific abandoned reply URLs it identified has been abused as of the publication of its Aug. 24 blog. The researchers said because the identified application is managed by the vendor, organizations cannot mitigate this issue directly.
“The only option would be deleting the service principal, which would nullify any legitimate use of the app,” said the CTU researchers. “We recommend monitoring for abandoned reply URLs.”
Zane Bond, head of product at Keeper ..
Support the originator by clicking the read the rest link below.
