Ethical Hacking News
A recent discovery highlights the persistence of the nOAuth vulnerability in Microsoft Entra SaaS apps, posing a significant threat to users' identity management. Despite being identified two years ago, this vulnerability remains a concern for developers and organizations handling sensitive data.
Approximately 9% of Microsoft Entra SaaS applications remain vulnerable to nOAuth, a known security weakness. nOAuth allows malicious actors to hijack identities by exploiting the "Log in with Microsoft" feature in Entra ID accounts. The vulnerability has been present since June 2023 and poses a significant threat to users' identity management, particularly in cross-tenant access. Microsoft's recommendations for addressing nOAuth were first disclosed in June 2023 but have had little impact due to the persistence of the vulnerability. nOAuth can be exploited by attackers using an unverified email address, allowing them to impersonate users across different tenant boundaries. The vulnerability requires low effort from attackers and leaves little trace behind.
In a recent revelation, researchers at Semperis have uncovered that approximately 9% of Microsoft Entra SaaS applications remain vulnerable to a known security weakness, namely nOAuth. This vulnerability has been present since its discovery in June 2023 and poses a significant threat to users' identity management, particularly in the context of cross-tenant access.
For those unfamiliar with the term nOAuth, it refers to a flaw in how SaaS applications implement OpenID Connect (OIDC), an authentication layer built atop OAuth to verify user identities. This vulnerability allows malicious actors to exploit the "Log in with Microsoft" feature in Entra ID accounts, essentially hijacking them by changing the mail attribute to that of a victim's and gaining unauthorized access.
The discovery was made after Semperis analyzed 104 SaaS applications, identifying nine instances where nOAuth abuse had occurred. This finding underscores the persistence of this vulnerability despite Microsoft's recommendations for addressing it, which were first disclosed in June 2023.
One of the critical issues with nOAuth is that it relies on a user having an unverified email address, which can be exploited to impersonate users across different tenant boundaries. Moreover, applications that use multiple identity providers like Google, Facebook, or Microsoft may inadvertently allow attackers to sign into target accounts using only an email address as the unique identifier.
Eric Woodruff, chief identity architect at Semperis, warns that nOAuth abuse is a serious threat with low effort required from attackers and little trace left behind. Furthermore, if successful, this exploit not only gains access to SaaS application data but also potentially allows for lateral movement into Microsoft 365 resources.
In response to these findings, Microsoft reiterated its guidelines for addressing the issue. Vendors are advised to ensure their applications comply with these recommendations to avoid having them removed from the Entra App Gallery. More critically, using claims other than the "sub" claim as a primary account identifier in OpenID Connect is deemed non-compliant.
Mitigating nOAuth ultimately falls under the responsibility of developers who must implement authentication correctly by creating unique, immutable user identifiers. According to Microsoft, nOAuth abuse can lead to data exfiltration, persistence, and lateral movement, presenting significant challenges for both detection and defense.
Another concerning development comes from Trend Micro, which revealed vulnerabilities in Kubernetes environments that facilitate access to sensitive AWS credentials using misconfigured or overly privileged containers. These vulnerabilities underscore the importance of adhering to the principle of least privilege and minimizing opportunities for exploitation by malicious actors.
The cybersecurity landscape continues to evolve with new threats emerging, highlighting the need for vigilance among developers, organizations, and end-users alike. As nOAuth remains a persistent vulnerability despite Microsoft's efforts to address it, the emphasis falls squarely on the shoulders of those who create and manage SaaS applications: ensure that identity management solutions are robust against cross-tenant vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/nOAuth-Vulnerability-A-Threat-to-Microsoft-Entra-SaaS-Apps-Despite-Two-Years-of-Discovery-ehn.shtml
https://thehackernews.com/2025/06/noauth-vulnerability-still-affects-9-of.html
Published: Wed Jun 25 13:49:47 2025 by llama3.2 3B Q4_K_M
