nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications
N2K NetworksAugust 2, 202524 min451 views
37 connections·40 entities in this video→Understanding nOAuth Vulnerability
- 💡 Researchers identified a critical authentication flaw termed nOAuth in SaaS applications integrated with Microsoft Entra ID.
- 🎯 This vulnerability allows attackers with a user's email and access to an Entra tenant to impersonate users in the SaaS application.
- 🔑 The attack results in full account takeover, enabling data exfiltration and lateral movement within affected apps.
Technical Details of the Attack
- 🚀 The attack leverages improper use of email claims in authentication, specifically when applications rely on email addresses instead of unique identifiers for verification.
- ⚠️ Attackers set the victim's email address in their own Entra tenant to authenticate as that user in the vulnerable SaaS application.
- 🚫 Traditional security measures like conditional access and MFA within the user's Entra tenant are ineffective against this attack.
Challenges in Detection and Mitigation
- 🔍 Detection is extremely difficult as attackers operate from a separate Entra tenant, making traditional log correlation challenging.
- 📊 Many SaaS applications offer poor logging capabilities for sign-in events, hindering efforts to cross-reference logs with Entra sign-in data.
- 🛠️ The primary mitigation lies with SaaS vendors to correctly implement OpenID Connect, using unique identifiers (like the 'subject' claim) rather than solely relying on email addresses.
Vendor and Microsoft Responses
- 💬 Vendor responses to responsible disclosure were mixed, ranging from rapid fixes to prolonged silence or unresolved vulnerabilities.
- ⚠️ Some vendors still have vulnerable applications, highlighting the ongoing risk.
- 💡 Microsoft acknowledges the issue stems from developers not following OpenID Connect specifications but continues to allow email claims as an option, arguing for potential legitimate use cases.
Broader Implications and Recommendations
- 📈 The research highlights a significant gap between identity standards (like OpenID Connect) and their real-world implementation by developers.
- 🎓 There's a perceived educational gap in the cybersecurity industry regarding modern authentication and identity protocols.
- 📌 Recommendations include vendors fixing their implementations, Microsoft potentially adding indicators for applications requesting email claims, and eventually sunsetting the unverified email claim method to resolve the vulnerability.
Knowledge graph40 entities · 37 connections
How they connect
An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.
Hover · drag to explore
40 entities
Chapters10 moments
Key Moments
Transcript87 segments
Full Transcript
Topics14 themes
What’s Discussed
nOAuthMicrosoft Entra IDSaaS ApplicationsAccount TakeoverOpenID ConnectAuthentication FlawEmail ClaimsCross-TenantVulnerability ResearchIdentity ArchitectData ExfiltrationLateral MovementSecurity StandardsVendor Disclosure
Smart Objects40 · 37 links
Companies· 7
People· 2
Concepts· 13
Products· 15
Media· 1
Events· 2