We were recently made aware of the following security alert from Microsoft regarding risk of privilege escalation using the email claim:
Our platform uses email address to authorize users and email claim is part of all of our connections. Do you have any recommendations/mitigation regarding this alert?
Essentially, the application has to use a user-controlled value in making authorization decisions.
These have been highlighted as bad practices in both Microsoft and our documents.
Auth0 has already published a guideline about the potential problems and the solutions in Email Verification for Azure AD and ADFS:
We published this document around two years ago. Having said that, for this vulnerability to occur, your application needs to have three prerequisites:
- It should allow login by Microsoft accounts
- It should use the email claim as the unique identifier for each user
- It should merge accounts automatically
If an application is proven to be vulnerable, it has to be fixed on the application side, the only solution is to change the authorization logic to never use a user-controlled value to make decisions.