A recently disclosed vulnerability known as “nOAuth” is raising significant concern across the Microsoft Entra ecosystem, with security researchers warning of the potential for full account takeover in cross-tenant SaaS applications.
The flaw, which stems from improper implementation of OpenID Connect (OIDC) standards by some application developers, allows attackers with access to a separate Entra tenant and knowledge of a target user’s email address to gain unauthorized access to that user’s account in vulnerable applications.
This can result in data exfiltration, persistence, and lateral movement within affected SaaS platforms, with little recourse for detection or defense by end users.
Critical Authentication Flaw
The nOAuth vulnerability was first detailed in June 2023, highlighting a critical misconfiguration in Microsoft OAuth integrations.
The issue arises when applications use mutable attributes such as email addresses as unique user identifiers, rather than relying on the immutable combination of issuer (iss) and subject (sub) claims as specified by OIDC.
Because Entra ID allows users to set unverified email addresses, a malicious actor can exploit this by registering an account in their own tenant with the same email as a target user.
If the SaaS application relies on the email claim for identification, the attacker is granted access to the victim’s account.
In a recent study, the Semperis Security Research Team tested 104 SaaS applications listed in the Microsoft Entra App Gallery and found that nine approximately 9% were vulnerable to nOAuth abuse.
The affected applications included platforms likely to store sensitive personally identifiable information (PII) and those integrated with Microsoft 365 services, amplifying the potential impact of a successful attack.
The researchers emphasized the low complexity of the attack, the absence of effective detection mechanisms, and the lack of available mitigations for customers, rating the risk as severe.
The complexity of the vulnerability is compounded by the fact that customers of vulnerable applications have no means to defend themselves.
Traditional security controls such as multifactor authentication (MFA), conditional access policies, and endpoint detection and response (EDR) solutions are ineffective against this vector, as the attack exploits the application’s trust in the email claim rather than circumventing Entra ID’s authentication processes.
Even advanced SaaS Security Posture Management (SSPM) tools offer limited visibility, as they typically focus on configuration rather than runtime abuse.
Detection and Mitigation Remain Elusive for End Users
Microsoft has responded to the nOAuth disclosure by updating Entra ID’s default behavior for new app registrations, ensuring that unverified email claims are not emitted unless explicitly configured otherwise.
However, this does not address the multitude of existing SaaS applications developed prior to these changes, many of which continue to rely on email claims for user identification.
Microsoft has also introduced the optional xms_edov claim to indicate whether an email address is verified, but its implementation and support remain inconsistent.
The only viable mitigation lies with application developers, who must update their authentication logic to use the OIDC-prescribed combination of issuer and subject claims for unique user identification.
Developers are urged to avoid using email claims as identifiers and to implement robust email verification workflows, especially in applications that support account merging across multiple identity providers.
Microsoft has warned that vendors failing to address the vulnerability may face removal from the Entra App Gallery.
For customers, the options are limited: they can pressure vendors to remediate the vulnerability or discontinue use of affected applications.
Detection of nOAuth abuse is highly challenging, requiring complex log correlation between Entra ID and SaaS application authentication events an approach that is often impractical due to inconsistent logging practices and lack of necessary identifiers.
According to the Report, The Semperis team has coordinated disclosure with Microsoft and affected vendors, but the persistence of vulnerable applications underscores the need for ongoing vigilance and industry-wide adherence to identity standards.
As SaaS adoption continues to accelerate, the nOAuth vulnerability serves as a stark reminder of the critical importance of secure authentication practices in multi-tenant cloud environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/noauth-vulnerability-allows-full-account-takeover/&media=https://i3.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9F3MxqvdmR1JlaPqajGdLSNSZF-B_fwnahGb64tfz96SNeNvucPXpAsiZ0AQkrz7-yDx9leIsQyG-3ELchG_1QIKABWI5XGfciwBzm48F3z5GkFUShvo2YZHIPukeTDly7FlqCoOZgCSFJq1FkGXFRIBbN7q1W8CUV3a_zjxWk4eii9skae8nW9blqq8/s16000/nOAuth.webp?resize=1068,580&ssl=1&description=A recently disclosed vulnerability known as "nOAuth" is raising significant concern across the Microsoft Entra ecosystem, with security researchers.){kind=link}