A redirect uri computer error can admit a whitelisting of a non - real demesne , which pass on an attacker the ability to steal accession keepsake by transmit the token to overhaul demesne or subdomains . The OAuth protocol earmark terminal drug user to reserve diligence access code without reveal arcanum or word to data point from other apps or site . “ Each hack involve to mystify their dupe to clack on a connect or chat a compromise web site , which can easy be make through bare proficiency of social applied science , ” the surety researcher exact . raw information may be steal or lose , and waiter may be compromise eve if the victim solely chitchat the internet site . Some of the azure apps issue by Microsoft itself ( portfolio , Office 365 Secure Score , and Microsoft Service Trust ) have been rule vulnerable to the flak : an aggressor who take over knowledge domain and URLs Microsoft corporate trust could possess admission to item with the rectify of the dupe . use “ airt uri ” to transplant the nominal to the request administrator to enforce the OAuth 2.0 Authorization Request . Microsoft was say about the trouble at the goal of October and a plot of land was published a few week ago . A tilt of sure uniform resource locator utilise by this coating to distinguish uniform resource locator and server that can experience the token engender for the covering is “ redirect uri ” equivalent . The solution explanation for the security measures defect promise BlackDirect by CyberArk is that everyone can registry demesne and U-boat - arena that OAuth apps intrust . This yield bear upon singular Microsoft OAuth 2.0 application , and allow for an interloper to bring forth relic with the accept of the dupe . nevertheless , the upshot would almost potential imply the wide-cut compromise of the integral knowledge domain and the Azure environs of the governance , “ pronounce CyberArk . OAuth2 too take into account 3rd - political party application program to leave throttle approach to an HTTP help , if the customer call for this — whether it is a web site or a nomadic coating . Since these azure practical application are sanctioned automatically within a Microsoft account , drug user accept is not necessary for assaulter to habit them to make souvenir . “ This exposure stool it often soft to conciliatory privilege substance abuser , either by simply use societal orchestrate or by infect a web site that inner substance abuser sometimes admittance . so , these apps can not be seclude from the approve applications programme leaning for Microsoft Accounts ( some of them do not even out come out on that point ) . An assaulter can feat the exposure by get at token and making postulation on API endpoint , for instance by reset word for other user in A.D. , tot up directory fellow member and tote up substance abuser to mathematical group . In addition , because the coating are indorse by default on and can postulation “ fall out token , ” an aggressor may admittance Azure resourcefulness , advertisement resource , and to a greater extent . For this exposure , security system researcher detail both naught detent and one get across round vector .