Beware! Microsoft Graph API OmniAuth Strategy Vulnerability Could Lead to Account Takeover

CVECVE-2024-21632
CVSScvssV3_1: 8.6
SourceCVE-2024-21632

The omniauth-microsoft_graph gem, which provides an authentication strategy for the Microsoft Graph API, had a vulnerability that could have allowed account takeover attacks.

The issue was that it did not properly validate the email attribute of the user object returned during OAuth authentication. An attacker could potentially spoof their email address, gaining access to another user’s account.

This affected any application using the omniauth-microsoft_graph gem to authenticate users via Microsoft accounts, like Outlook, Office 365 etc. If the email was being used as the sole identifier of the authenticated user, an attacker could spoof their email to impersonate someone else.

The good news is that version 2.0.0 of the gem has addressed this vulnerability by adding email validation. Application owners using older versions should upgrade immediately.

Users can protect themselves by using strong, unique passwords for their Microsoft accounts and enabling multi-factor authentication if available. Be wary of any suspicious account login requests or emails claiming to be from Microsoft. Report any suspected compromise to Microsoft right away.

References