Azure AD Credentials hidden in plain sight
You say what? Credentials stay exposed in the Azure AD!
Well, actually yes they are visible up until some point. Although this isn’t by design, the behavior is not recognized as a bug on a security concern.
So let’s go back to the start, where this all began.
Somewhere around May 2022 Microsoft Entra was introduced in public, and during that period some changes were noticeable in the Azure Active Directory.
When playing around in the Azure Active Directory I was wondering what API were done to create the credentials for an App Registration. Especially with the password hints that are shown.
I created an App Registration, opened the certificates and secrets
pane and clicked New client secret
Nothing unexpected here when looking at creation process. the addPassword API endpoint is called to create a new password and a response is posted back containing the metadata of the password.
@odata.context: "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential"
customKeyIdentifier: null
displayName: "Password uploaded on Fri Feb 03 2023"
endDateTime: "2023-05-04T15:50:25.275Z"
hint: "sls"
keyId: "befbea05-4337-4b3a-9205-dc3825ede4e4"
secretText: "sls8Q~4_S2KbBcSlnvwBCqXIUo_ZxTK3qKttZaXY"
startDateTime: "2023-02-03T15:50:25.275Z"When hovering above the little information icon a balloon is shown stating the following information:
Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.
This sounds valid and is also described on the Microsoft Learn pages where it literally states:
Record the secret’s value for use in your client application code. This secret value is never displayed again after you leave this page.
Okay, I have copied the password and stored in a save place in a txt file on my desktop. nah, just kiddin’
When we now move away from the certificates and secrets blade, open up our Microsoft Sentinel Portal, run a query and browse back to the App Registration in the Azure Active Directory.
As you can see, the credentials are still exposed when leaving the Azure Active Directory, scroll around and moving back to the App Registrations again.
Microsoft Response
When I reported this undocumented feature to the MSRC in april 2022 it was picked-up very quickly. but after proving more information it stayed silent for a very long time. (sound of crickets…….)
Of course this is not a major vulnerability, but still credentials are exposed unintended according the documentation.
2 weeks ago the case was suddenly closed with the following comment:
Well good to know that it is a post-compromise risk, which makes sense, because you need to get in, to be in right. But I also believe that the video above that is created 9 months after the issue was reported, still shows that the credentials are exposed after navigating away.
I have tested this thoroughly and even after 12 hours the credentials are still visible. Only when the browser context is refreshed (ctrl+F5) or after logout and login the values are hidden.
How to stay save
If it looks like a bear, and growls like a bear, it probably is a bear and you can better stay away from it.
So in this case the only way to really avoid this is:
- Create the credentials using the graph
Invoke-AzRestMethod `
-uri https://graph.microsoft.com/beta/applications/<appid>- Create the credentials via PowerShell
New-AzAdAppCredential
Stay save, and keep coding!
