Company
Date Published
Author
Maria Paktiti
Word count
1005
Language
English
Hacker News points
None

Summary

The nOAuth vulnerability in Microsoft Azure AD OAuth applications allows an attacker to completely take over a user's account by exploiting a flaw in the implementation of the `email` claim, which is used as a unique identifier. This occurs when a third-party application uses the mutable and unverified `email` claim without proper validation or verification processes. To mitigate this vulnerability, Microsoft has introduced two new claims to improve security, while developers are advised to never use the `email` claim for authentication or authorization decisions and instead rely on the `sub` claim as the unique identifier for users. Additionally, some companies like WorkOS have implemented email verification processes to prevent such vulnerabilities.