nOAuth Abuse: Full Account Takeover of Entra Cross-Tenant SaaS Applications
N2K NetworksAugust 1, 202524 min87 views
27 connections·32 entities in this video→Understanding nOAuth Vulnerability
- 💡 A critical authentication flaw, dubbed nOAuth, has been identified in SaaS applications integrated with Microsoft Entra ID.
- 🎯 This vulnerability allows attackers to impersonate legitimate users by simply knowing their email address and having access to an Entra tenant.
- 🔑 The end result is full account takeover within the affected SaaS application, granting attackers access to user data and functionality.
Technical Details of the Attack
- 🚀 The attack exploits improper use of email claims in authentication, where applications rely on email addresses instead of unique identifiers (like the
subjectclaim) for verification. - ⚠️ Attackers can set a legitimate user's email address in their own Entra tenant and then authenticate into the vulnerable SaaS application as that user.
- 🚫 This impersonation is difficult to detect and mitigate using traditional security measures within the customer's Entra tenant, such as conditional access or MFA.
Challenges in Detection and Mitigation
- 🔍 Detection relies on correlating Entra sign-in logs with SaaS application sign-in logs, which is often difficult due to poor logging capabilities in many SaaS apps.
- 🚧 Customers are largely defenseless against this attack, as the mitigation must come from the SaaS vendors themselves.
- 🛠️ The vulnerability stems from SaaS vendors not adhering to OpenID Connect specifications, specifically by not using the unique
subjectidentifier provided by the identity provider.
Vendor Responses and Industry Gaps
- 📈 Vendor responses to responsible disclosure have been mixed, with some resolving the issue quickly and others showing no response or continued vulnerability.
- 📉 A significant gap exists between identity standards like OpenID Connect and their real-world implementation by developers.
- 🎓 There's a broader educational gap in cybersecurity regarding modern authentication and identity protocols, making it challenging for developers to implement them correctly.
Recommendations and Future Outlook
- 💡 SaaS vendors are urged to review their OpenID Connect implementations and prioritize fixing vulnerabilities related to email claim usage.
- 📣 Microsoft could enhance visibility by flagging applications that request email claims, allowing enterprises to assess risk.
- 🚀 A long-term solution could involve Microsoft sunsetting the option to use unverified email addresses in this context, thereby resolving the vulnerability within Entra ID.
Knowledge graph32 entities · 27 connections
How they connect
An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.
Hover · drag to explore
32 entities
Chapters10 moments
Key Moments
Transcript87 segments
Full Transcript
Topics13 themes
What’s Discussed
nOAuthMicrosoft Entra IDSaaS ApplicationsAccount TakeoverOpenID ConnectAuthentication FlawEmail ClaimsCross-Tenant AccessIdentity ArchitectureVulnerability DisclosureCybersecurityData ExfiltrationLateral Movement
Smart Objects32 · 27 links
Concepts· 7
Companies· 9
Medias· 5
People· 2
Products· 8
Event· 1