Jun 25, 2025Ravie LakshmananSaaS Safety / Vulnerability
New analysis has uncovered continued threat from a identified safety weak spot in Microsoft’s Entra ID, probably enabling malicious actors to realize account takeovers in inclined software-as-a-service (SaaS) purposes.
Identification safety firm Semperis, in an evaluation of 104 SaaS purposes, discovered 9 of them to be susceptible to Entra ID cross-tenant nOAuth abuse.
First disclosed by Descope in June 2023, nOAuth refers to a weak spot in how SaaS purposes implement OpenID Join (OIDC), which refers to an authentication layer constructed atop OAuth to confirm a consumer’s id.
The authentication implementation flaw primarily permits a foul actor to vary the mail attribute within the Entra ID account to that of a sufferer’s and reap the benefits of the app’s “Log in with Microsoft” characteristic to hijack that account.
The assault is trivial, but it surely additionally works as a result of Entra ID permits customers to have an unverified e mail handle, opening the door to consumer impersonation throughout tenant boundaries.
It additionally exploits the truth that an app utilizing a number of id suppliers (e.g., Google, Fb, or Microsoft) may inadvertently enable an attacker to sign up to a goal consumer’s account just because the e-mail handle is used as the only standards to uniquely establish customers and merge accounts.
Semperis’ risk mannequin focuses on a variant of nOAuth, particularly discovering purposes that enable for Entra ID cross-tenant entry. In different phrases, each the attacker and the sufferer are on two totally different Entra ID tenants.
“nOAuth abuse is a severe risk that many organizations could also be uncovered to,” Eric Woodruff, chief id architect at Semperis, stated. “It is low effort, leaves nearly no hint and bypasses finish‑consumer protections.”
“An attacker that efficiently abuses nOAuth would give you the option not solely to realize entry to the SaaS utility information, but in addition probably to pivot into Microsoft 365 sources.”
Semperis stated it reported the findings to Microsoft in December 2024, prompting the Home windows maker to reiterate suggestions it gave again in 2023, coinciding with the general public disclosure of nOAuth. It additionally famous that distributors that don’t adjust to the rules threat getting their apps faraway from the Entra App Gallery.
Microsoft has additionally emphasised that the usage of claims aside from topic identifier (known as the “sub” declare) to uniquely establish an finish consumer in OpenID Join is non-compliant.
“If an OpenID Join relying celebration makes use of any different claims in a token apart from a mixture of the sub (topic) declare and the iss (issuer) declare as a main account identifier in OpenID Join, they’re breaking the contract of expectations between federated id supplier and relying celebration,” the corporate famous at the moment.
Mitigating nOAuth in the end rests within the palms of builders, who should correctly implement authentication to stop account takeovers by creating a novel, immutable consumer identifier.
“nOAuth abuse exploits cross-tenant vulnerabilities and may result in SaaS utility information exfiltration, persistence, and lateral motion,” the corporate stated. “The abuse is troublesome for purchasers of susceptible purposes to detect and unimaginable for purchasers of susceptible purposes to defend towards.”
The disclosure comes as Pattern Micro revealed that misconfigured or overly privileged containers in Kubernetes environments can be utilized to facilitate entry to delicate Amazon Net Providers (AWS) credentials, enabling attackers to conduct follow-on actions.
The cybersecurity firm stated attackers can exploit extreme privileges granted to containers utilizing strategies like packet sniffing of unencrypted HTTP site visitors to entry plaintext credentials and API spoofing, which makes use of manipulated Community Interface Card (NIC) settings to intercept Authorization tokens and achieve elevated privileges.
“The findings […] spotlight important safety concerns when utilizing Amazon EKS Pod Identification for simplifying AWS useful resource entry in Kubernetes environments,” safety researcher Jiri Gogela stated.
“These vulnerabilities underscore the significance of adhering to the precept of least privilege, making certain container configurations are scoped appropriately, and minimizing alternatives for exploitation by malicious actors.”
Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
