Researchers Discover Reply URL Takeover in Azure
Security researchers are urging Azure Active Directory (AD) users to monitor for abandoned reply URLs after revealing a critical vulnerability in the Microsoft Power Platform.
Secureworks said it discovered the reply URL takeover bug earlier in April and it was fixed by Microsoft within 24 hours.
More specifically, the researchers had found an abandoned reply URL address in an Azure AD application related to the low-code Power Platform.
Attackers could use the URL to redirect authorization codes to themselves, exchanging these for access tokens. The threat actor could then call the Power Platform API via a middle-tier service and obtain elevated privileges, Secureworks said.
“Power Platform API lets users manage environments, change environment settings, and query capacity consumption. As a result, it is a prime target for threat actors seeking privileged access,” it wrote.
“We demonstrated privileged access on the Power Platform API by elevating the privileges of an existing service principal. The goal was not to further abuse this privileged access but to demonstrate that privileged actions such as elevating applications and deleting environments are possible due to the access gained via the middle-tier service.”
Read more on Azure AD threats: Chinese Threat Group Compromises US Government
Attackers that understand how the Power Platform admin API works could probably develop additional attack scenarios, Secureworks warned.
In the end, Microsoft quickly remediated the bug by removing the abandoned reply URL in question from the Azure AD application.
However, Secureworks urged security admins to keep an eye on their Azure AD applications’ reply URLs to avoid an attack scenario like the one described above.
“Because the identified application is managed by the vendor, organizations cannot mitigate this issue directly,” it concluded. “The only option would be deleting the service principal, which would nullify any legitimate use of the app. We recommend monitoring for abandoned reply URLs.”