Summary
Azure Active Directory B2C service (AD B2C) mistakenly implemented RSA key authentication using the public part of the key pair instead of the private one.
This cryptographic flaw could have allowed an unauthenticated attacker to craft an OAuth refresh token for any AD B2C user account if they knew their public key.
Moreover, every AD B2C user's public key was recoverable through an unrelated vulnerability (though asymmetric cryptography should not rely on public key secrecy regardless).
An attacker could redeem this refresh token for a session token, thereby gaining access to the victim account as if they had logged in through a legitimate login flow.
Affected Services
AD B2C
Remediation
None required, but AD B2C tenant administrators should perform a key rotation and/or switch to symmetric cryptography (e.g., AES).
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/jnovak-praetorian
Disclosure Date
Mon, Mar 1st, 2021
Exploitablity Period
Until December 22'
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
8.93
(PI:1.5/A1:22/A2:1/A7:1/A8:1.1)
Discovered by
John Novak, Praetorian
