New research has highlighted ongoing risks from a known vulnerability in Microsoft’s Entra ID that could enable attackers to take over accounts in susceptible software-as-a-service (SaaS) applications.
Semperis, an identity security firm, analyzed 104 SaaS applications and identified nine that are still vulnerable to cross-tenant nOAuth abuse in Entra ID. This flaw, first reported in June 2023, pertains to how these applications implement OpenID Connect (OIDC), a layer built above OAuth to verify user identities.
The vulnerability allows attackers to alter the email attribute in an Entra ID account, effectively enabling them to hijack that account through the “Log in with Microsoft” feature. The ease of this attack is compounded by Entra ID’s policy that permits users to have unverified email addresses, facilitating impersonation across different tenant environments.
Semperis focused on a specific variant of nOAuth wherein both the attacker and the target user exist on different Entra ID tenants. Eric Woodruff, Chief Identity Architect at Semperis, warned, “nOAuth abuse is a serious threat that many organizations may be exposed to. It’s low effort, leaves almost no trace, and bypasses end‑user protections.”
Should an attacker exploit this weakness successfully, they could gain access not just to the SaaS application but potentially to Microsoft 365 resources as well. Semperis reported its findings to Microsoft back in December 2024, leading to the tech giant reiterating its guidelines from 2023 about securing such vulnerabilities. Vendors failing to comply might face removal from the Entra App Gallery.
Microsoft has also stressed the importance of using appropriate claims to uniquely identify users in OIDC. Any reliance on claims beyond the subject identifier ("sub") compromises the expectations between the identity provider and the relying party.
Ultimately, mitigating nOAuth abuses lies in the hands of developers who need to reinforce their authentication processes by ensuring the creation of unique and immutable user identifiers. Semperis noted that this type of vulnerability is both challenging for users to detect and nearly impossible for users to defend against without proper mitigation steps.
In a related vein, Trend Micro has reported on newly discovered security issues that could allow attackers to exploit misconfigured or overly privileged containers within Kubernetes environments, highlighting the multifaceted challenges faced in securing cloud environments. Attackers could potentially access sensitive AWS credentials through methods like packet sniffing and manipulating network settings.
These findings serve as crucial reminders on the importance of strict privilege management and proper configuration to protect data effectively in modern cloud infrastructures.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.