A essential vulnerability in Microsoft’s Entra ID nonetheless exposes a variety of enterprise functions two years after it was found.
Semperis, an id safety supplier, shared new findings on this risk on June 25 on the TROOPERS25 convention in Heidelberg, Germany.
The report confirmed that at the very least 15,000 software-as-a-service (SaaS) functions are probably weak to nOAuth, a extreme authentication flaw in Microsoft’s Entra ID that may result in account takeovers and information exfiltration.
The nOAuth Vulnerability Defined
Detected in June 2023 by Descope via cross-tenant testing, nOAuth is an authentication implementation flaw that may have an effect on Microsoft Azure AD multi-tenant Open Authorization (OAuth) functions. OAuth is an open, token-based authorization framework that permits customers to grant entry to their personal sources on one utility to a different utility with out freely giving their id particulars.
OpenID Join (OIDC) is an id layer constructed on high of OAuth 2.0, permitting functions to confirm customers’ identities and acquire primary profile data. The protocol makes use of JSON Net Tokens (JWT) to transmit this data between events securely.
The flaw exploits Entra ID app configurations that let unverified e mail claims as person identifiers, a identified anti-pattern per OpenID Join requirements. In these situations, attackers want solely an Entra tenant and the goal’s e mail tackle to imagine management of the sufferer’s SaaS account.
Moreover, conventional safeguards akin to multifactor authentication (MFA), conditional entry and Zero Belief insurance policies are unable to guard in opposition to this vulnerability.
Undetected by SaaS distributors
Semperis has discovered that two years after the invention of nOAuth, many SaaS functions had been nonetheless weak to the flaw.
The corporate estimated that these weak apps characterize at the very least 10% of the full of SaaS functions in use, which it assessed to be at over 150,000.
Which means that at the very least 15,000 enterprise SaaS functions are nonetheless weak to nOAuth in June 2025.
It’s because the vulnerability “continues to go undetected by SaaS distributors, who might not even know what to search for and it’s almost inconceivable for enterprise prospects to defend in opposition to, permitting attackers to take over accounts and exfiltrate information,” the corporate defined.
Eric Woodruff, Semperis’ Chief Identification Architect, introduced the corporate’s findings at TROOPERS25. He ranked this vulnerability as “extreme” as a result of the assault is low complexity and is inconceivable to defend in opposition to.
He stated: “It’s straightforward for well-meaning builders to observe insecure patterns with out realizing it and in lots of circumstances, they don’t even know what to search for. In the meantime, prospects are left with no approach to detect or cease the assault, making this an particularly harmful and protracted risk.”
Defending Towards nOAuth Vulnerabilities
Whereas conventional vulnerability mitigation measures don’t work in opposition to nOAuth, Semperis offered some suggestions to mitigate the threats. These included:
- SaaS distributors ought to observe Microsoft’s suggestions to stop nOAuth abuse
- Builders ought to implement the mandatory fixes to guard their prospects
- Organizations ought to have deep log correlation throughout each Entra ID and the SaaS platform to detect nOAuth abuse
