Abusing Entra OAuth for fun and access to internal Microsoft applications
15 days ago
- #Microsoft
- #Vulnerability
- #Cybersecurity
- The author discovered access to over 22 internal Microsoft services due to misconfigurations in multi-tenant applications.
- Initial access was gained through aka.ms and eng.ms domains, leading to unauthorized entry into Microsoft's Engineering Hub.
- The vulnerability stemmed from misconfigured Entra ID authentication, allowing login via personal Microsoft accounts.
- A subdomain enumeration revealed 1,406 applications using Entra ID, with 176 misconfigured as multi-tenant.
- Exploiting these misconfigurations provided access to sensitive internal tools like the Security Intelligence Platform and Media Creation service.
- The research highlights shared responsibility risks in application deployment and authentication checks.
- A PowerShell script was developed to identify vulnerable multi-tenant applications in Entra environments.
- The author reported findings to MSRC, earning significant bug bounties and third place on the Q1 leaderboard.
- A final exploit in the 'Rewards Support Tool' demonstrated potential for financial gain, humorously termed an 'infinite money glitch'.