Skip to main content

nOAuth Abuse: Full Account Takeover of Entra Cross-Tenant SaaS Applications

N2K NetworksAugust 1, 202524 min87 views
27 connections·32 entities in this video

Understanding nOAuth Vulnerability

  • 💡 A critical authentication flaw, dubbed nOAuth, has been identified in SaaS applications integrated with Microsoft Entra ID.
  • 🎯 This vulnerability allows attackers to impersonate legitimate users by simply knowing their email address and having access to an Entra tenant.
  • 🔑 The end result is full account takeover within the affected SaaS application, granting attackers access to user data and functionality.

Technical Details of the Attack

  • 🚀 The attack exploits improper use of email claims in authentication, where applications rely on email addresses instead of unique identifiers (like the subject claim) for verification.
  • ⚠️ Attackers can set a legitimate user's email address in their own Entra tenant and then authenticate into the vulnerable SaaS application as that user.
  • 🚫 This impersonation is difficult to detect and mitigate using traditional security measures within the customer's Entra tenant, such as conditional access or MFA.

Challenges in Detection and Mitigation

  • 🔍 Detection relies on correlating Entra sign-in logs with SaaS application sign-in logs, which is often difficult due to poor logging capabilities in many SaaS apps.
  • 🚧 Customers are largely defenseless against this attack, as the mitigation must come from the SaaS vendors themselves.
  • 🛠️ The vulnerability stems from SaaS vendors not adhering to OpenID Connect specifications, specifically by not using the unique subject identifier provided by the identity provider.

Vendor Responses and Industry Gaps

  • 📈 Vendor responses to responsible disclosure have been mixed, with some resolving the issue quickly and others showing no response or continued vulnerability.
  • 📉 A significant gap exists between identity standards like OpenID Connect and their real-world implementation by developers.
  • 🎓 There's a broader educational gap in cybersecurity regarding modern authentication and identity protocols, making it challenging for developers to implement them correctly.

Recommendations and Future Outlook

  • 💡 SaaS vendors are urged to review their OpenID Connect implementations and prioritize fixing vulnerabilities related to email claim usage.
  • 📣 Microsoft could enhance visibility by flagging applications that request email claims, allowing enterprises to assess risk.
  • 🚀 A long-term solution could involve Microsoft sunsetting the option to use unverified email addresses in this context, thereby resolving the vulnerability within Entra ID.
Knowledge graph32 entities · 27 connections

How they connect

An interactive map of every person, idea, and reference from this conversation. Hover to trace connections, click to explore.

Hover · drag to explore
32 entities
Chapters10 moments

Key Moments

Transcript87 segments

Full Transcript

Topics13 themes

What’s Discussed

nOAuthMicrosoft Entra IDSaaS ApplicationsAccount TakeoverOpenID ConnectAuthentication FlawEmail ClaimsCross-Tenant AccessIdentity ArchitectureVulnerability DisclosureCybersecurityData ExfiltrationLateral Movement
Smart Objects32 · 27 links
Concepts· 7
Companies· 9
Medias· 5
People· 2
Products· 8
Event· 1