Cybersecurity experts have uncovered a vulnerability linked to Microsoft Entra ID (previously known as Azure Active Directory) applications due to a neglected reply URL.

Using this unattended URL, malefactors could redirect authorization codes to themselves. “By misappropriating these codes, intruders can then obtain access tokens,” remarked Secureworks Counter Threat Unit (CTU) in a detailed review shared recently.

Such perpetrators could subsequently interface with the Power Platform API via an intermediary service to secure heightened privileges.

Post the timely alert to Microsoft on April 5, 2023, the tech giant rectified the concern by releasing an update the very next day. For the wider community’s benefit, Secureworks has provided a freely accessible tool to detect any disregarded reply URLs.

In the context of digital authentication, a reply URL or a redirect URI signifies the endpoint to which the authorization server redirects a user after the successful validation of an app, ensuring the provision of an authorization code or an access token.

Also Read: French Unemployment Agency Reports Data Breach Affecting 10 Million People

Microsoft, in its guidance, emphasizes the significance of pinpointing the appropriate redirect location during the app’s setup phase.

Through their investigation, Secureworks CTU spotted a deserted reply URL of a Dynamics Data Integration app linked with the Azure Traffic Manager profile. This flaw allowed unauthorized access to the Power Platform API through an intermediary service, further facilitating unauthorized modifications in the system configurations.

Picturing a potential breach, malefactors might have harnessed this loophole to claim the system administrator’s role for a pre-existing service entity, erase an environment, and misuse the Azure AD Graph API to garner details about the targeted entity, laying the groundwork for further malicious endeavors.

However, this strategy hinges on the victim’s inadvertent click on a deceitful link, which would then direct the authorization code, dispensed by Microsoft Entra ID upon signing in, to a URL controlled by the malefactor.

Meanwhile, a recent expose by Kroll showcased a surge in phishing drives masked as DocuSign communications that exploit open redirects. These cunning maneuvers allow adversaries to craft and disseminate URLs that reroute potential victims to a harmful platform upon activation.

Kroll’s cybersecurity expert, George Glass, elaborated, “Crafting a link that exploits a reputable domain makes it easier for the ill-intentioned to lure users into activating the link. Furthermore, it could also hoodwink security systems scanning for malicious links.”

The upshot? Unsuspecting users are channelled to malevolent platforms devised to pilfer vital data, ranging from login details to personal credentials or financial information.