Ongoing nOAuth Vulnerability Impacting 9% of Microsoft Entra SaaS Applications Two Years Post-Discovery

Recent research has highlighted ongoing risks associated with a known security vulnerability in Microsoft’s Entra ID, which may allow malicious actors to execute account takeovers within certain software-as-a-service (SaaS) applications.

The analysis conducted by Semperis, an identity security firm, examined 104 SaaS applications and identified nine that are exposed to cross-tenant nOAuth abuse within Entra ID.

The nOAuth vulnerability, initially reported by Descope in June 2023, relates to deficiencies in how SaaS applications implement OpenID Connect (OIDC), an authentication layer built on top of OAuth designed to confirm user identities.

This authentication flaw potentially allows an attacker to modify the mail attribute in a victim’s Entra ID account and utilize the application’s “Log in with Microsoft” feature to gain unauthorized access to that account.

This attack vector is particularly concerning due to Entra ID’s policy that permits users to maintain unverified email addresses, facilitating user impersonation across different tenant environments. Moreover, for applications employing multiple identity providers such as Google, Facebook, or Microsoft, an attacker may successfully log into a target user’s account based solely on the email address, creating possibilities for account merging.

Semperis’ investigation specifically targeted applications susceptible to Entra ID cross-tenant access, indicating scenarios where both the attacker and the victim are housed within disparate Entra ID tenants.

According to Eric Woodruff, chief identity architect at Semperis, “nOAuth abuse represents a significant threat that numerous organizations may unknowingly face. It requires minimal effort, generates little trace evidence, and circumvents customer protections.”

Successfully executing nOAuth attacks not only grants an adversary access to SaaS application data but can also enable them to pivot towards Microsoft 365 resources.

Semperis communicated these findings to Microsoft in December 2024, prompting the technology giant to reiterate recommendations initially disseminated in 2023, following the public revelation of nOAuth vulnerabilities. Additionally, firms that fail to adhere to specified guidelines risk their applications being removed from the Entra App Gallery.

Microsoft has underscored the necessity of using the subject identifier claim (referred to as the “sub” claim) as the primary means of uniquely identifying end users in OpenID Connect, emphasizing that deviating from this standard constitutes a breach of the expectations framework between federated identity providers and relying parties.

To mitigate the risks associated with nOAuth, it is imperative that developers implement robust authentication measures, ensuring the creation of a unique and immutable user identifier.

“nOAuth abuse taps into cross-tenant security weaknesses, which can result in SaaS application data exfiltration, persistence, and laterally-moving threats,” the firm stated. “This type of abuse is inherently challenging for customers of vulnerable applications to identify and manage.”

In a related development, Trend Micro has disclosed that misconfigurations or excessive privileges concerning containers deployed in Kubernetes environments can provide attackers access to sensitive Amazon Web Services (AWS) credentials, thereby enabling further malicious activities.

Trend Micro indicated that attackers may leverage inflated privileges assigned to containers through techniques such as packet sniffing of unencrypted HTTP traffic to obtain plaintext credentials, as well as API spoofing using manipulated Network Interface Card (NIC) settings to intercept authorization tokens and gain elevated access levels.

The security implications emphasized by these findings necessitate rigorous security protocols when utilizing Amazon EKS Pod Identity to streamline access to AWS resources within Kubernetes environments, as stated by security researcher Jiri Gogela.

Such vulnerabilities highlight a crucial need for strict adherence to the principle of least privilege, ensuring that container configurations are appropriately scoped to minimize exploitation by malicious entities.