Risk of Account Takeover in SSO Apps: Mutable Claims

In today’s experiment with a well-known multi-tenant app that uses email to identify users, two key observations were made:

1️⃣ Account Takeover Within Same Tenant: By reusing the email of a deleted account, it was possible to log into the app as the original user.

2️⃣ Cross-Tenant Takeover Attempt: A user was created in a different Entra ID tenant using the victim’s email (without an actual mailbox, just populating the mail attribute). The attacker was one OTP away from logging in as the victim and gaining administrative privileges. MFA, CA policies, and device compliance policies were bypassed because authentication was handled by the attacker’s tenant.

You Should Know:

To mitigate such risks, here are some actionable steps and commands:

1. Review Multi-Tenant Apps:

• Use PowerShell to list all multi-tenant applications in your Azure AD:

  Get-AzureADApplication | Where-Object { $_.AvailableToOtherTenants -eq $true } 
  

2. Migrate Off Email Claim Authorization:

• Follow Microsoft’s guidance to update your app onboarding procedures:
  Migrate Off Email Claim Authorization

3. Implement Proactive Security Measures:

• Use Azure AD Conditional Access policies to restrict access:

  New-AzureADMSConditionalAccessPolicy -DisplayName "Restrict Cross-Tenant Access" -State "Enabled" -Conditions @{Applications = @{IncludeApplications = "All"}; Users = @{IncludeUsers = "All"}; Locations = @{IncludeLocations = "All"; ExcludeLocations = "AllTrusted"}} -GrantControls @{Operator = "OR"; BuiltInControls = "MFA"} 
  

4. Audit and Monitor:

• Enable Azure AD audit logs and monitor for suspicious activities:

  Get-AzureADAuditSignInLogs -Filter "createdDateTime ge 2023-10-01" 
  

5. Update App Integration Standards:

• Ensure compliance with OAuth/OIDC standards and avoid using mutable claims like email for user identification.

What Undercode Say:

The risk of account takeover in SSO apps using mutable claims is a significant threat to organizational security. By leveraging PowerShell commands and Azure AD tools, you can proactively identify vulnerabilities, enforce stricter access controls, and update app integration standards. Regularly audit your multi-tenant applications and migrate away from email-based authorization to mitigate these risks effectively.

For further reading:

• The False Identifier Anti-Pattern
• Microsoft Entra ID Integration Tutorials

References:

Reported By: Mahantesh Hiremath – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram