![]() ![]() Configured the environment as described in Microsoft’s tutorial documentation without any modifications to the cryptographic guidance therein.Configured an application with the OAuth Authorization code flow (with PKCE).Impact: Potential range of effectĪzure B2C environments with the following configuration were likely to be susceptible to the vulnerability : Based on our examination of Microsoft’s fixes, however, previously exploited Azure B2C environments may remain vulnerable to attackers until the rollout of Microsoft’s second fix is complete on Feb 15, 2023. Praetorian reported this security vulnerability to Microsoft in two parts in March 2021 & July 2022 and Microsoft applied two changes in December 2022 and February 2023. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow. Microsoft’s Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account.
0 Comments
Leave a Reply. |