Inside Microsoft’s OAuth Apocalypse: When Security Turns Into a Playground for Hackers
Hello everyone. Strap in, because today we’re diving deep into the digital equivalent of finding Microsoft’s skeletons not in a closet, but parading down Main Street, waving at the crowd, and handing out free root access to anyone who can click “Accept.” This isn’t just an oopsie. This is Microsoft’s internal application security behaving like a loot chest in a free-to-play MMO: there for anyone with the time, patience, and curiosity to poke at it.
A Casual Stroll into the Den of Secrets
Our story starts innocently enough – bored documentation writing, a stray AKA.MS link, and that irresistible curiosity itch. What happens if you poke at Microsoft’s link shortener without the actual short part? Surprise, you get a login screen. This is where most people shrug, go back to their spreadsheet misery, and get another coffee. Not so for our intrepid researcher – oh no. That would be far too sensible.
Instead, they started pulling on that digital thread like a cat with a ball of yarn, stumbling into the enchanting world of eng.ms domains, consent prompts, and a 500 Internal Server Error that’s basically the internet’s way of shouting, “You shouldn’t be here!” Naturally, that’s exactly when the real fun begins.
OAuth Misconfiguration: The Swiss Cheese of Security
Here’s the thing: Microsoft’s internal Engineering Hub was set up as a multi-tenant Entra application pointing to the /common endpoint. To the average person, that tech soup means nothing. To anyone with a whiff of pen-testing experience, it means: “Congratulations, you’re now inside the staff-only area.” It’s like using the “open door” animation in Doom and walking into the developer test map instead of your actual level.
And the best part? No one on the application side bothered to check if authentication came from the right place – the digital equivalent of asking for ID, getting shown a library card, and still handing over the keys to Fort Knox. I’ve seen modded Minecraft servers run their login systems tighter than this.
Mapping the Mayhem
The researcher goes full dungeon crawl mode: enumerating 100,000+ Microsoft-owned subdomains, spelunking through HTTPS endpoints like a loot goblin, and finding 176 multi-tenant apps just lying in the open. Some fed him private portals, security intelligence platforms, engineering tools, and – wait for it – build infrastructure with Remote Code Execution potential.
- Access to risk registers containing sensitive internal information
- Media creation pipelines with private keys and license key generation potential
- A buffet of internal portals: Engineering Hubs, hardware inventories, AI ops tools, Copilot correlation systems, subscription hubs, and more
At this point, the difference between a Microsoft engineer and our researcher is that one was on payroll – but both could access the same toys.
These glimpses show just how sprawling and unguarded some of Microsoft’s internal data source interfaces and portals appear – a playground for anyone savvy enough to bypass OAuth misconfigurations.
Doctor’s Orders: Check Your Tenant IDs
As someone who takes great joy in diagnosing chronic conditions (both human and digital), I can confidently label this one as “terminal misconfiguration syndrome.” The fix? Validate the “iss” or “tid” claims in your access tokens. That’s it. One quick check in application logic and you don’t end up letting randos browse your Security Intelligence Portal like it’s Wikipedia.
But no, instead we’ve got medicine bottles mislabelled, pills scattered on the floor, and patients self-administering RCE capabilities because the pharmacist wanted to “streamline the onboarding process.”
Rewards, Bounties, and Infinite Money Glitches
This grand tour of Microsoft’s weakest locks and most trusting doors netted the researcher… not infinite riches, but certainly bragging rights and leaderboard clout. And just when the curtain seemed to close, like any good post-credits teaser, there’s the “Rewards Support Tool.” Manage your payouts? Enter any amount? Congratulations, you’ve found the IRL equivalent of a video game gold duplication bug.
“Bug hunting at Microsoft was supposed to be an infinite money glitch!” – YouTube commenter
Well, turns out it kind of still is. You just have to know which buttons to press and have the moral restraint not to burn it all down.
Conclusion
This research is the perfect mix of curiosity, skill, and an organization so massive it can lose track of what’s internal or external like it’s dropping socks behind the couch. The moral of the story? Multi-tenant Entra apps are a minefield if you don’t check where the blast radius ends. Microsoft patched fast, the researcher got paid (a bit), and the rest of us now have another nightmare scenario to keep us awake at night.
Overall verdict? Fantastic research, horrifying security gap, and a story that will be retold in every security con for the next five years. Good for security awareness, bad for Microsoft’s blush levels.
And that, ladies and gentlemen, is entirely my opinion.
Article source: Abusing Entra OAuth for fun and access to internal Microsoft applications, https://research.eye.security/consent-and-compromise/
