New analysis has uncovered continued danger from a recognized security weak point in Microsoft’s Entra ID, probably enabling malicious actors to attain account takeovers in vulnerable software-as-a-service (SaaS) functions.
Id security firm Semperis, in an evaluation of 104 SaaS functions, discovered 9 of them to be susceptible to Entra ID cross-tenant nOAuth abuse.
First disclosed by Descope in June 2023, nOAuth refers to a weak point in how SaaS functions implement OpenID Join (OIDC), which refers to an authentication layer constructed atop OAuth to confirm a person’s id.
The authentication implementation flaw primarily permits a nasty actor to vary the mail attribute within the Entra ID account to that of a sufferer’s and benefit from the app’s “Log in with Microsoft” function to hijack that account.
The assault is trivial, nevertheless it additionally works as a result of Entra ID permits customers to have an unverified e mail tackle, opening the door to person impersonation throughout tenant boundaries.
It additionally exploits the truth that an app utilizing a number of id suppliers (e.g., Google, Fb, or Microsoft) might inadvertently enable an attacker to register to a goal person’s account just because the e-mail tackle is used as the only standards to uniquely determine customers and merge accounts.
Semperis’ menace mannequin focuses on a variant of nOAuth, particularly discovering functions that enable for Entra ID cross-tenant entry. In different phrases, each the attacker and the sufferer are on two completely different Entra ID tenants.
“nOAuth abuse is a severe menace that many organizations could also be uncovered to,” Eric Woodruff, chief id architect at Semperis, mentioned. “It is low effort, leaves nearly no hint and bypasses finish‑person protections.”
“An attacker that efficiently abuses nOAuth would give you the option not solely to realize entry to the SaaS software knowledge, but additionally probably to pivot into Microsoft 365 assets.”
Semperis mentioned it reported the findings to Microsoft in December 2024, prompting the Home windows maker to reiterate suggestions it gave again in 2023, coinciding with the general public disclosure of nOAuth. It additionally famous that distributors that don’t adjust to the rules danger getting their apps faraway from the Entra App Gallery.
Microsoft has additionally emphasised that using claims aside from topic identifier (known as the “sub” declare) to uniquely determine an finish person in OpenID Join is non-compliant.
“If an OpenID Join relying social gathering makes use of any different claims in a token moreover a mix of the sub (topic) declare and the iss (issuer) declare as a major account identifier in OpenID Join, they’re breaking the contract of expectations between federated id supplier and relying social gathering,” the corporate famous at the moment.
Mitigating nOAuth finally rests within the fingers of builders, who should correctly implement authentication to forestall account takeovers by creating a novel, immutable person identifier.
“nOAuth abuse exploits cross-tenant vulnerabilities and may result in SaaS software knowledge exfiltration, persistence, and lateral motion,” the corporate mentioned. “The abuse is troublesome for patrons of susceptible functions to detect and not possible for patrons of susceptible functions to defend in opposition to.”
The disclosure comes as Development Micro revealed that misconfigured or overly privileged containers in Kubernetes environments can be utilized to facilitate entry to delicate Amazon Internet Companies (AWS) credentials, enabling attackers to conduct follow-on actions.
The cybersecurity firm mentioned attackers can exploit extreme privileges granted to containers utilizing strategies like packet sniffing of unencrypted HTTP site visitors to entry plaintext credentials and API spoofing, which makes use of manipulated Community Interface Card (NIC) settings to intercept Authorization tokens and acquire elevated privileges.
“The findings […] spotlight crucial security concerns when utilizing Amazon EKS Pod Id for simplifying AWS useful resource entry in Kubernetes environments,” security researcher Jiri Gogela mentioned.
“These vulnerabilities underscore the significance of adhering to the precept of least privilege, guaranteeing container configurations are scoped appropriately, and minimizing alternatives for exploitation by malicious actors.”
