Microsoft SaaS Vulnerability Exposed Apps for 2 Years
▼ Summary
– A critical vulnerability in Microsoft’s Entra ID, called nOAuth, still exposes enterprise applications two years after its discovery, risking account takeovers and data theft.
– Semperis revealed at TROOPERS25 that at least 15,000 SaaS applications remain vulnerable due to unverified email claims in Entra ID app configurations.
– The flaw exploits OAuth and OpenID Connect protocols, allowing attackers to hijack accounts with just an email address, bypassing MFA and Zero Trust protections.
– Many SaaS vendors remain unaware of the vulnerability, leaving enterprises defenseless as detection and mitigation are nearly impossible.
– Semperis recommends specific mitigation steps, as traditional security measures fail to protect against this low-complexity, high-risk threat.
A critical security flaw in Microsoft’s Entra ID has left thousands of enterprise applications exposed for two years, putting sensitive data at risk of unauthorized access. The vulnerability, known as nOAuth, was first identified in 2023 but remains a significant threat due to its stealthy nature and widespread impact.
Security firm Semperis recently revealed alarming findings at the TROOPERS25 conference, estimating that over 15,000 SaaS applications could still be vulnerable to this authentication bypass flaw. The issue stems from a misconfiguration in Microsoft’s Entra ID, which allows attackers to exploit unverified email claims as user identifiers, a practice discouraged by OpenID Connect standards.
How the nOAuth Vulnerability Works
The flaw targets multi-tenant OAuth applications in Microsoft Azure AD, a system designed to let users grant third-party apps limited access to their resources without sharing credentials. By abusing improperly configured apps, attackers can hijack accounts using nothing more than a victim’s email address and a maliciously crafted request.
What makes nOAuth particularly dangerous is its ability to bypass standard security measures like multi-factor authentication (MFA) and Zero Trust policies. Even well-protected accounts remain vulnerable because the attack exploits fundamental trust assumptions in the authentication process.
A Lingering Threat
Despite being discovered in 2023, Semperis found that many SaaS providers remain unaware of the issue, leaving their applications open to exploitation. The company estimates that 10% of all SaaS apps, roughly 15,000, are still at risk, highlighting the slow response to this critical vulnerability.
Eric Woodruff, Chief Identity Architect at Semperis, emphasized the severity of the threat, calling it “low complexity but high impact.” Developers often follow insecure patterns unknowingly, while customers lack the tools to detect or prevent such attacks. This combination makes nOAuth a persistent and dangerous risk for organizations relying on cloud-based services.
Mitigation Strategies
Since conventional security controls fail to block nOAuth attacks, Semperis recommends proactive measures to reduce exposure. These include:
- Auditing app configurations to ensure email claims are properly verified.
- Without immediate action, businesses risk falling victim to account takeovers and data breaches, a threat that continues to fly under the radar despite its far-reaching consequences.
(Source: InfoSecurity Magazine)
