New analysis suggests greater than 10,000 SaaS apps may stay weak to a nOAuth variant regardless of the essential situation being disclosed in June 2023.
nOAuth is finest described as an abuse methodology used to focus on a misconfiguration or poor improvement apply within the interface between SaaS apps and Entra ID. The SaaS person is the sufferer.
It’s successfully inconceivable for a SaaS person to know whether or not it’s a nOAuth sufferer, and there aren’t any mitigation choices obtainable. The sufferer might have its personal intensive safety controls, however nOAuth takes place between SaaS and Entra past the view of any native safety.
Towards the top of 2024, researchers at Semperis started taking a look at SaaS purposes included within the Microsoft Entra Gallery. The aim was to not repeat the Descope analysis, however to see if the nOAuth methodology could possibly be invoked through a cross-tenant method fairly than Descope’s a number of identification suppliers situation.
The researchers chosen 104 SaaS purposes from the Microsoft Entra Gallery. “Primarily, the goal (sufferer) buyer is a Microsoft buyer with an Entra ID tenant, and the attacker makes use of a unique Entra ID tenant to carry out the abuse,” they clarify. It really works. The SaaS software solely must help Entra ID for authentication to be vulnerable to nOAuth – and whereas many apps might have adopted recommendation to shut the door detected by Descope (involving a number of identification suppliers), comparatively few are even conscious that solely the Entra ID is critical to invoke nOAuth.
“The main target of the analysis from Descope was on account merging flows – for instance, if the SaaS software supported Google and Microsoft (Entra ID). In our analysis, we discovered that the identical form of abuse can exist even when the appliance is just utilizing Entra ID, and the appliance is just trying on the e mail declare,” explains Eric Woodruff, Senior Safety Researcher at Semperis.
He continued, “Many builders may have learn the Descope analysis and thought, ‘This doesn’t apply to us’. There was additionally some inaccurate reporting at the moment, saying nOAuth was ‘mounted’. The headlines would make you imagine that Microsoft did one thing to resolve it throughout the board.”
It wasn’t mounted. Microsoft supplied recommendation on the way to correctly configure Entra ID. nOAuth will be prevented however it can’t be mounted.Commercial. Scroll to proceed studying.
From the 104 apps it investigated, Semperis discovered that 9 have been weak to nOAuth (roughly 9%). It’s troublesome to understand how these outcomes would possibly translate throughout the entire SaaS ecosphere, however Woodruff feedback, “If there are, say, 44,000 SaaS firms, and a number of other of them have a number of merchandise, it wouldn’t be outrageous to imagine that there could possibly be 150,000 SaaS purposes on the market.”
From these examined, 9% have been weak. “So, if that was extrapolated out towards 150,000 purposes, it could be 13,500 that could possibly be weak.” Among the many weak SaaS purposes discovered by Semperis have been a human sources administration platform (probably full of PII), and different purposes that built-in again into Microsoft 365. Within the latter case, profitable nOAuth abuse would enable the attacker to entry the SaaS knowledge and probably to pivot into Microsoft 365 sources.
Semperis knowledgeable Microsoft of its analysis. It opened an MSRC case in December 2024 however acquired little response from MSRC – which closed the case with out offering particulars in April 2025. SecurityWeek has invited Microsoft to touch upon the Semperis analysis however has acquired no reply on the time of writing (if we get a response, will probably be included as an addendum to this text).
However this isn’t a problem that may be mounted by Microsoft – it’s basically an architectural drawback involving the authentication/authorization endpoint for all Entra tenants and the professional want for visitor accounts with an e mail handle, together with unverified e mail addresses. Microsoft has constructed a platform that if configured and applied appropriately is not going to be weak to nOAuth.
That is the issue. Builders are all the time below strain to ship at velocity, and may simply misunderstand detailed directions and make false assumptions on what’s required. Particulars from the Semperis analysis counsel that is widespread.
Within the ultimate evaluation, nOAuth isn’t a vulnerability that may be mounted, however a misconfiguration that may be exploited. Microsoft can supply recommendation and directions on the way to do issues appropriately, however it can not drive builders to observe the foundations.
The underside line is that nOAuth continues, victims don’t know they’re victims, Microsoft can not repair the issue, and the builders, who alone can stop nOAuth, are thus far failing to take action.
Associated: TeamFiltration Abused in Entra ID Account Takeover Marketing campaign
Associated: OneDrive Offers Internet Apps Full Learn Entry to All Information
Associated: Descope Targets Buyer Identification Market with Large $53M Seed Spherical
Associated: Researchers Flag Account Takeover Flaw in Microsoft Azure AD OAuth Apps
