A critical authentication vulnerability, which is now known by the name nOAuth abuse, has emerged as a severe threat. It specifically targets Microsoft Entra ID integrated software-as-a-service, or SaaS, applications, enabling attackers to take over accounts. This vulnerability exploits fundamental flaws in how application developers have chosen to implement their OpenID Connect authentication. The attack leverages anti-patterns where developers use email addresses as the unique user identifiers for their online applications.
The nOAuth vulnerability was initially disclosed by Omer Cohen of Descope on June 20, 2023, highlighting the issue.
Recent research that was conducted by the security analysts at Semperis has revealed the continued prevalence of this vulnerability. In comprehensive testing of over one hundred applications from the Microsoft Entra App Gallery, researchers identified multiple applications. These applications were found to be vulnerable to nOAuth abuse, representing approximately nine percent of all of the tested platforms.
The nOAuth abuse mechanism exploits a fundamental weakness in cross-tenant authentication flows within the Entra ID environments. The attack begins when an adversary creates or modifies a user account in their own controlled Entra tenant. They set the mail attribute to match that of their intended victim in a separate, targeted business organization. Microsoft Entra ID permits users to have unverified email addresses to support its guest user account functionality.
This unfortunately creates the foundational vulnerability that is now being actively exploited by many different online attackers.
This attack successfully circumvents many traditional security controls including the now widely used multifactor authentication protections. The authentication appears to be completely legitimate from the application’s perspective, making it very difficult to detect. The vulnerability’s persistence stems from the architectural decision to rely on mutable claims rather than immutable claims. This technical oversight creates a persistent attack vector that will remain viable until application developers implement proper controls.
Reference:
