Beware! Microsoft Graph API OmniAuth Strategy Vulnerability Could Lead to Account Takeover

CVSScvssV3_1: 8.6

The omniauth-microsoft_graph gem, which provides an authentication strategy for the Microsoft Graph API, had a vulnerability prior to version 2.0.0 that could have led to account takeover.

The issue was that it did not properly validate the “email” attribute of the user object returned during OAuth authentication. An attacker could potentially spoof this email address, if it was being used to uniquely identify the user, and hijack someone’s account.

By not validating the email, it allowed for the possibility of “nOAuth misconfiguration”, where an OAuth integration could be tricked into thinking one user was authenticated as another. This would let an attacker log into services under the guise of a different user, taking over their account access.

The developers have now addressed this in version 2.0.0. It’s important that any services using omniauth-microsoft_graph for authentication update to the latest version to protect against this authentication bypass vulnerability.

Users should also be wary of any sites still using older versions, and check that unique identifiers like emails are properly validated during login. Taking some basic security precautions, like using strong and unique passwords, can help reduce risk if a vulnerability like this is exploited. Staying on top of software updates is key to keeping your accounts safe from potential hackers.