Azure Wrong Account Login (Security Issue)

Puye

Let me preface this by stating I'm new to osTicket so please forgive me if I'm ignorant and this post is moot.

There is a security concern with Azure login. It seems that if an Azure account has already been signed in a browser, osTicket will log into that account even when trying to log into a different account. This does make it inconvenient to try a test account in the same browser, but more importantly it can be a security risk. In my case, I'm an admin and if I did not have 2FA enabled my account could be logged into without my credentials.

The steps to reproduce the problem:

I use Chrome for everything, so I've already logged into osTicket with my admin account on Chrome before.

I go to the osTicket login page on Chrome, enter the test account Azure credentials (test.account@mydomain.com) and then click "Sign in with Azure"
I get to the "2FA Pending" screen asking for the code. 2FA has not been setup for the test account. If using the Authenticator app, I enter the code I have in the app. In another admin account we have 2FA setup with email, and when getting to this screen using the test account credentials as stated in step 1, it will email a code to the admin account email address
I enter the code from either method and it logs me in to the admin account.

I've never logged into osTicket before on Edge, so here's what happened when I tried it with the test account:

I go to the osTicket login page on Edge, enter the test account Azure credentials, then click "Sign in with Azure"
This time, I get a login.microsoftonline.com page with the email address "test.account@mydomain.com" and "Enter password"
After entering in the password, Microsoft forces MFA to be setup for the Microsoft account which I didn't do since it's a test account. However, this clearly shows that the correct account is being accessed when on a different browser than was accessed before.

So to summarize, if an admin osTicket account has been previously logged into via Azure sign-in on a given browser, that account can be signed into again without entering its credentials. With 2FA a theoretical attack can be stopped, but the Defense in Depth principle would necessitate that a change be made so that an account cannot be logged into without its credentials being entered.

KevinTheJedi

Puye

That's really a microsoft/windows problem. All osTicket does is send you to the provider to be authenticated and then waits for a response back to see what user authenticated and if you were authenticated successfully or not. We don't send any user info when directing you to miscrosoft so they blindly use whatever account is currently logged in on their end. I'm sure they have some settings to disable this; you can google online to see how to prevent this.

Cheers.