Risks in Microsoft Entra ID: Understanding nOAuth Vulnerabilities
Recent research has unveiled a persistent risk associated with Microsoft’s Entra ID, highlighting a vulnerability that could potentially allow malicious actors to hijack accounts linked to various software-as-a-service (SaaS) applications. This alarming discovery comes from Semperis, a company specializing in identity security, which examined 104 different SaaS applications and identified nine that remain susceptible to cross-tenant nOAuth exploitation.
What is nOAuth?
First brought to light by Descope in June 2023, nOAuth refers to a specific flaw in how SaaS applications leverage OpenID Connect (OIDC). OIDC acts as an authentication layer built on top of OAuth, designed to confirm the identity of users. The research indicates that the current implementation of this authentication method presents an opportunity for attackers to exploit the situation. The vulnerability arises because it enables an attacker to modify the mail attribute of an Entra ID account, substituting it with that of a victim. This manipulation can facilitate account takeovers through the “Log in with Microsoft” feature found in many applications.
How the Attack Works
The method of attack is notably straightforward. One significant factor is that Entra ID allows users to set unverified email addresses, thus providing a gateway for user impersonation across varying tenant environments. When applications utilize multiple identity providers—like Google, Facebook, or Microsoft—this vulnerability becomes even more pronounced. If a target’s email address is the sole identifier for account merges, an attacker merely needs to change the email attribute to access the victim’s account.
Semperis focused on nOAuth’s application in scenarios where both the attacker and the victim are operating from different Entra ID tenants. Eric Woodruff, Chief Identity Architect at Semperis, remarked, “nOAuth abuse is a serious threat that many organizations may be exposed to. It’s low effort, leaves almost no trace, and bypasses end-user protections.” This vulnerability not only grants access to data within the SaaS application but could also open doors to explore Microsoft 365 resources.
Microsoft’s Response
Following Semperis’ findings reported in December 2024, Microsoft reiterated guidance initially issued in 2023 concerning nOAuth. They stressed that compliance with their recommendations is crucial, emphasizing that failing to do so could result in removal from the Entra App Gallery. According to Microsoft, using claims other than the subject identifier (designated as the “sub” claim) to uniquely identify users within OpenID Connect does not adhere to established best practices. Such deviations can break the expected contract between federated identity providers and relying parties.
Importance of Developer Mitigation
Ultimately, addressing the nOAuth vulnerability falls to developers. They play a critical role in implementing proper authentication measures that mitigate the risk of account takeovers. This includes establishing a unique, immutable user identifier to prevent impersonation. Semperis elaborated on the potential consequences of exploitative nOAuth practices, noting that these vulnerabilities can lead to exfiltration of SaaS application data, persistent threats, and unauthorized lateral movements across systems.
Broader Security Implications
This vulnerability disclosure coincides with another critical finding from Trend Micro regarding misconfigurations and excessive privileges in Kubernetes environments. Their research revealed that such lapses could allow attackers access to sensitive Amazon Web Services (AWS) credentials, facilitating further malicious actions. Security researcher Jiri Gogela highlighted the necessity for guidelines emphasizing the principle of least privilege, ensuring that container configurations remain adequately scoped to limit exploitation opportunities for malicious users.
As organizations increasingly rely on cloud solutions, understanding and combating these vulnerabilities is paramount to maintaining robust cybersecurity measures against evolving threats in the digital landscape.
