Microsoft nOAuth Flaw Still Exposes SaaS Apps Two Years After Discovery

A critical authentication vulnerability in Microsoft's Entra ID, formerly known as Azure AD, continues to leave thousands of enterprise software-as-a-service (SaaS) applications vulnerable to account takeovers, two years after the issue was first brought to light. New findings from identity security provider Semperis, presented at the TROOPERS25 conference, highlight the ongoing risk. The vulnerability, dubbed "nOAuth," was first disclosed by Descope in June 2023. It stems from a flaw in how some SaaS applications implement OpenID Connect (OIDC), an authentication layer built on top of the OAuth 2.0 authorization framework. Specifically, the issue lies with applications trusting the mutable and unverified "email" claim in an authentication token for user identification. This practice is a known anti-pattern per OpenID Connect standards. An attacker can exploit this flaw by creating an account in an Entra ID tenant and setting their email address to match that of a target victim. When the attacker uses the "Log in with Microsoft" feature on a vulnerable SaaS application, the app incorrectly identifies the attacker as the legitimate user based solely on the email address. This can lead to a full takeover of the victim's account within the SaaS application. Worryingly, traditional safeguards like multi-factor authentication (MFA) and Zero Trust policies offer no protection against this attack. Semperis's research revealed the severity of the ongoing problem. In a test of more than 100 Entra-integrated SaaS applications, Semperis found that nearly 10% were vulnerable to nOAuth abuse. Based on estimates of there being over 150,000 SaaS applications in use, this could mean that at least 15,000 applications remain exposed. The vulnerable applications identified included sensitive systems, such as a human resources management platform containing personally identifiable information (PII) and apps that integrate into Microsoft 365. Following the initial disclosure in 2023, Microsoft took steps to mitigate the risk, including changing the default behavior for new app registrations to not emit an email claim if the email address is unverified. However, thousands of applications created before June 2023 still exist, and developers can still configure apps to accept unverified emails. The responsibility for ultimately fixing the flaw lies with the application developers, who must update their code to use a unique, immutable user identifier for authentication, rather than relying on the email address. Semperis researchers rate the vulnerability as "severe" due to the attack's low complexity and the difficulty of detection and defense. It is nearly impossible for customers of vulnerable applications to know they are being targeted or to defend against the attack. Semperis notified Microsoft and the affected vendors of its findings in December 2024. While some vendors have since remediated their applications, others remain vulnerable, leaving their users at risk.