Researchers at Israeli cybersecurity company CyberArk said the vulnerability, associated with Microsoft Azure accounts and Microsoft's OAuth 2.0 applications, could have been used to trick users into giving attackers access to their online accounts.
And while the impact could have been "very powerful," in this particular case, researchers said there was little user could do.
The bug, which was reportedly addressed by Microsoft weeks after the company was alerted, would have allowed hackers to steal account tokens.
Account tokens, used by websites and applications, allow users to access their accounts without having to constantly re-enter their passwords. The vulnerability allowed for the creation of tokens, with the victim's permissions, which could let the hacker access and control the account, researchers said.
Researchers said they have already found applications published by Microsoft that were vulnerable to this type of attack. The apps are automatically approved within any Microsoft account which means they don't require any user consent in order for attackers to exploit them, researchers explained.
In some cases, this could have been done in what researchers call a "zero-click" way meaning it didn't require user interaction.
"This vulnerability's attack surface is very wide and its impact can be very powerful. By doing nothing more than clicking or visiting a website, the victim can experience the theft of sensitive data, compromised production servers, lost data, manipulation of data, encryption of all the organization’s data with ransomware and more," researchers said Monday, who have already found applications published by Microsoft that are vulnerable to this type of attack.
The flaw was alerted to Microsoft in October and was fixed weeks later, according to researchers.
"We resolved the issue with the applications mentioned in this report in November and customers remain protected," a Microsoft spokesperson told FOX Business Monday.
To prevent future vulnerabilities, researchers at CyberArk say users can do the following:
- Make sure that all the trusted redirect URIs configured in the application are under your ownership.
- Remove unnecessary redirect URIs.
- Make sure the permissions that the OAuth application asks for are the least privileged one it needs.
- Disable non-used applications.
UPDATE: This article has been updated to include a comment from Microsoft.