Critical Microsoft nOAuth Flaw Continues to Endanger SaaS Applications

A significant vulnerability in Microsoft’s Entra ID, identified as the nOAuth flaw, persists in jeopardizing numerous enterprise applications nearly two years post-discovery. According to findings presented by Semperis, an identity security firm, at the TROOPERS25 conference held in Heidelberg, Germany, it is estimated that at least 15,000 software-as-a-service (SaaS) applications remain susceptible to this flaw, which can lead to account takeovers and data breaches.

The nOAuth vulnerability, first detected in June 2023 by Descope through cross-tenant testing, represents a serious authentication implementation flaw within Microsoft Azure AD's multi-tenant Open Authorization (OAuth) applications. OAuth is a widely adopted framework that facilitates users in granting access to their private resources across different applications without compromising their identity details. OpenID Connect (OIDC), which builds upon OAuth 2.0, further enables applications to verify users' identities and obtain basic profile information securely using JSON Web Tokens (JWT).

The vulnerability exploits specific configurations within Entra ID applications that allow unverified email claims as user identifiers—an anomaly that contradicts established OpenID Connect standards. Consequently, attackers require only an Entra tenant and the targeted email address to gain control of victim accounts. Notably, conventional security measures, including multifactor authentication (MFA), conditional access, and Zero Trust policies, fail to safeguard against this vulnerability.

Despite its discovery two years ago, Semperis’ analysis indicates that many SaaS vendors remain unaware of their exposure to the nOAuth flaw. Eric Woodruff, Chief Identity Architect at Semperis, emphasized the severity of this vulnerability, stating, "It's easy for well-meaning developers to follow insecure patterns without realizing it, and in many cases, they don’t even know what to look for. Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat."

The implications of this vulnerability are profound. Semperis highlights that vulnerable applications constitute at least 10% of the estimated 150,000 total SaaS applications currently in use, underscoring the scale of the risk.

To mitigate threats arising from the nOAuth vulnerability, Semperis recommends several measures: 1. SaaS vendors should adhere to Microsoft’s guidelines to prevent nOAuth abuse. 2. Developers must implement necessary fixes to protect customer data. 3. Organizations should ensure deep log correlation across both Entra ID and the SaaS platform to detect potential nOAuth abuse.

In conclusion, the ongoing risk presented by the nOAuth flaw reveals significant deficiencies in current security practices among SaaS vendors. As the digital landscape continues to evolve, it is imperative for organizations to remain vigilant and proactive in addressing such vulnerabilities to safeguard their operations and protect sensitive data from exploitation. The persistence of this flaw serves as a critical reminder of the need for comprehensive security measures and continuous monitoring in an increasingly interconnected environment.