.webp?w=696&resize=696,0&ssl=1 "nOAuth Abuse")
A recent security investigation by Semperis has uncovered a critical vulnerability in Microsoft Entra ID (formerly Azure Active Directory) integrations, which can lead to complete account takeover in certain Software-as-a-Service (SaaS) applications.
The flaw, dubbed “nOAuth abuse,” enables attackers to hijack user accounts across tenant boundaries with minimal effort, potentially exposing sensitive data and organizational resources.
The Mechanics of nOAuth Abuse
nOAuth abuse exploits a misconfiguration in how some SaaS applications implement OpenID Connect (OIDC) authentication with Microsoft Entra ID.
The root of the issue lies in developers using mutable attributes such as a user’s email address as a unique identifier. Entra ID permits users to have unverified email addresses, which anyone within their tenant can set.
When a vulnerable application relies on an email claim for user identification, an attacker can impersonate any user simply by setting their own email address to match the victim’s within their own tenant.
The attack requires three components:
- The ability to set an unverified email address in Entra ID
- An app registration that permits the unverified email claim
- A vulnerable application that uses the email claim as a unique identifier
Once these conditions are met, an attacker can authenticate to the SaaS application using their own credentials but with the victim’s email address.
The application, unaware that the email address is unverified and from a different tenant, grants access to the victim’s account and data.
In Semperis’ research, 9 out of 104 tested applications (approximately 9%) were found to be vulnerable, including HR management platforms and apps with Microsoft 365 integrations, which raises the risk of data exfiltration and lateral movement within organizations.
Limited Defenses and Vendor Responsibility
Currently, there are few effective defenses for customers of vulnerable applications.
Traditional security controls like multi-factor authentication (MFA), conditional access, and endpoint detection and response (EDR) do not protect against nOAuth abuse, as the attack occurs outside the victim’s control.
Customers are left with two main options: urge vendors to fix the issue or abandon the vulnerable SaaS application.
Detecting nOAuth abuse is extremely difficult. While log correlation between Entra ID and SaaS application authentication events in a SIEM (such as Microsoft Sentinel) might help, it is not foolproof.
SaaS vendors must ensure their applications use immutable identifiers (issuer and subject claims) as recommended by OIDC standards, rather than relying on email addresses for user identification.
Microsoft has taken steps to mitigate the risk, such as not emitting unverified email claims by default for new app registrations created after June 2023.
However, thousands of legacy applications remain at risk. Vendors who fail to address the vulnerability may be removed from the Entra App Gallery. Still, until fixes are widely implemented, organizations must remain vigilant and proactive in assessing their SaaS security posture.
The nOAuth vulnerability underscores the risks associated with inadequate authentication practices in SaaS applications.
As attackers exploit these flaws with increasing ease, organizations must demand robust security assurances from their vendors and stay informed about emerging threats in the evolving cloud security landscape.
.webp?resize=1600,900&ssl=1&description=nOAuth Abuse - A recent security investigation by Semperis has uncovered a critical vulnerability in Microsoft Entra ID.){kind=link}