Microsoft has been aware of the AAD/O365 vulnerability for almost 2 years.
A friend found this link, clearly showing Microsoft has been aware of the risk of users giving consent to illicit applications since at least January 2018.
https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/
They have not done much to prevent this, but has worked to create more post-mortem tools.
One of the links in the article points to an article by a former cyber criminal, which has a youtub video showing PoC of a real-time crypto-locker working on the users mailbox. Scary stuff.
https://youtu.be/VX59Gf-Twwo
We also have the fact, that 2 years ago, knowledge of free Let's Encrypt certificate was not so widespread, and a HTTPS certificate is a requirement from Microsoft.
I am not working as a developer, but do have some coding/scripting experience, and I got the sample to run in about the 5 minutes Microsoft says it takes.
The hacker/developer that requests consent gets a long list of checkboxes, and he can see which permissions not to ask for, that is all those that require admin consent.
As somebody who manages security in O365 instances, I would like to have a mask I could apply to my users. Allow them to do OAuth2 / OpenID authentication everywhere and deliver e-mail address and name to the remote website without consent. Maybe allow people to give 3rd party access to their calendar.
As it is now, I have to grant consent on a per app basis, as I have revoked all user consent options completely.
But my idea with admin controlling what permissions the users can delegate will make the job more difficult for developers, as they never know if the user will need to get admin consent or not. But it would allow me to open up a bit more than I do now, after my discovery.
https://securityintheenterprise.blogspot.com/2019/11/microsoft-azuread-and-office365-not.html
Local Microsoft office is not happy about my release of my blog article, they feel bypassed, and I should have gone through them. But all my correspondence to this case followed the official channels, Microsoft Security Response Center, where I got a case number, and 2 times was asked to delay the release/disclosure which I fully respected.
https://blogs.technet.microsoft.com/office365security/defending-against-illicit-consent-grants/
They have not done much to prevent this, but has worked to create more post-mortem tools.
One of the links in the article points to an article by a former cyber criminal, which has a youtub video showing PoC of a real-time crypto-locker working on the users mailbox. Scary stuff.
https://youtu.be/VX59Gf-Twwo
What has changed
What makes this even worse today is, that the Microsoft Sample code Wizard makes it very easy to create the phishing website. The wizard generates passwords, and creates source code with your own AppID and password inserted. So now we are down where this is possible with a minimum of coding skills.We also have the fact, that 2 years ago, knowledge of free Let's Encrypt certificate was not so widespread, and a HTTPS certificate is a requirement from Microsoft.
I am not working as a developer, but do have some coding/scripting experience, and I got the sample to run in about the 5 minutes Microsoft says it takes.
The hacker/developer that requests consent gets a long list of checkboxes, and he can see which permissions not to ask for, that is all those that require admin consent.
As somebody who manages security in O365 instances, I would like to have a mask I could apply to my users. Allow them to do OAuth2 / OpenID authentication everywhere and deliver e-mail address and name to the remote website without consent. Maybe allow people to give 3rd party access to their calendar.
As it is now, I have to grant consent on a per app basis, as I have revoked all user consent options completely.
But my idea with admin controlling what permissions the users can delegate will make the job more difficult for developers, as they never know if the user will need to get admin consent or not. But it would allow me to open up a bit more than I do now, after my discovery.
https://securityintheenterprise.blogspot.com/2019/11/microsoft-azuread-and-office365-not.html
Local Microsoft office is not happy about my release of my blog article, they feel bypassed, and I should have gone through them. But all my correspondence to this case followed the official channels, Microsoft Security Response Center, where I got a case number, and 2 times was asked to delay the release/disclosure which I fully respected.
Comments
Post a Comment