New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. First disclosed by Descope in June 2023, nOAuth refers to a weakness in how SaaS applications implement OpenID Connect (OIDC), which refers to an authentication layer built atop OAuth to verify a user's identity. The authentication implementation flaw essentially allows a bad actor to change the mail attribute in the Entra ID account to that of a victim's and take advantage of the app's "Log in with Microsoft" feature to hijack that account. The attack is trivial, but it also works because Entra ID permits users to have an unverified email address, opening the door to user impersonation across tenant boundaries. It also exploits the fact that an app using multiple identity providers (e.g., Google, Facebook, or Microsoft) could inadvertently allow an attacker to sign in to a target user's account simply because the email address is used as the sole criteria to uniquely identify users and merge accounts. Semperis' threat model focuses on a variant of nOAuth, specifically finding applications that allow for Entra ID cross-tenant access. In other words, both the attacker and the victim are on two different…Read More