A critical security flaw, termed nOAuth, has been identified within Microsoft Entra ID’s authentication processes, posing a significant risk to enterprise SaaS applications. This vulnerability allows attackers to gain complete control over user accounts with minimal effort, exploiting weaknesses in how applications handle authentication and user identification.
Understanding the nOAuth Vulnerability
The nOAuth flaw arises from improper implementation of OpenID Connect authentication protocols in applications integrated with Microsoft Entra ID. Specifically, the issue stems from developers relying on mutable email attributes as unique user identifiers instead of immutable identifiers like the sub (subject) claim. This reliance becomes problematic because Microsoft Entra ID permits users to set unverified email addresses, which can be manipulated by malicious actors.
Discovery and Initial Disclosure
The vulnerability was first brought to light by Omer Cohen of Descope on June 20, 2023. Cohen’s research demonstrated how misconfigurations in Microsoft OAuth could lead to full account compromises. The attack exploits the practice of using email addresses as unique identifiers, combined with Entra ID’s acceptance of unverified email addresses across different tenants. This combination enables attackers to impersonate legitimate users by setting matching email addresses in their own Entra tenants.
Recent Findings and Ongoing Risks
Subsequent research by Semperis security analysts has revealed that the nOAuth vulnerability remains prevalent across various enterprise SaaS applications. In a comprehensive assessment of 104 applications from the Microsoft Entra App Gallery, nine were found to be susceptible to nOAuth abuse, accounting for approximately 9% of the tested platforms. Notably, some of these vulnerable applications contained sensitive data, including personally identifiable information, and had direct integrations with Microsoft 365 services. This integration could potentially allow attackers to access additional enterprise resources.
Mechanics of the nOAuth Attack
The exploitation of the nOAuth vulnerability involves several steps:
1. Account Creation or Modification: The attacker creates or modifies a user account within their controlled Entra tenant, setting the email attribute to match that of the intended victim in a different organization.
2. Exploitation of Unverified Email Claims: Microsoft Entra ID allows users to have unverified email addresses to support guest user functionality. For applications created before June 2023, unverified email claims are emitted by default in ID tokens.
3. Application Configuration Manipulation: The attacker configures app registrations with specific authentication behaviors, setting the `removeUnverifiedEmailClaim` parameter to false. This adjustment enables the application to receive and process unverified email claims during the authentication flow.
4. Authentication and Account Takeover: When the attacker initiates authentication to the vulnerable SaaS application, the application receives an ID token containing the unverified email claim. If the application uses this email claim as the unique identifier without proper validation, it may merge the attacker’s account with the victim’s account, granting the attacker full control over the victim’s account.
Implications and Severity
The nOAuth vulnerability is particularly concerning due to its low complexity and the significant challenges organizations face in detecting and defending against such attacks. Traditional security measures like Multi-Factor Authentication (MFA), conditional access policies, and Zero Trust frameworks offer no protection against this type of exploitation. The simplicity of the attack, coupled with the potential for widespread impact, underscores the urgency for organizations to address this vulnerability promptly.
Mitigation Strategies
To protect against nOAuth exploitation, organizations should implement the following measures:
1. Avoid Using Email Claims for Authorization: Developers should refrain from using email claims as unique identifiers for users. Instead, they should utilize immutable identifiers such as the sub claim.
2. Implement Email Verification Processes: If email addresses are used in any capacity, ensure that they are verified through secure means, such as sending a confirmation link to the email address to confirm ownership.
3. Update Application Configurations: For applications created before June 2023, review and update configurations to ensure that unverified email claims are not emitted in ID tokens. Set the `removeUnverifiedEmailClaim` parameter to true to prevent processing of unverified email claims.
4. Monitor and Audit Authentication Flows: Regularly monitor authentication logs for unusual activities, such as unexpected account merges or changes in user identifiers, to detect potential exploitation attempts.
Conclusion
The nOAuth vulnerability highlights the critical importance of proper implementation of authentication protocols and the dangers of relying on mutable and unverified attributes for user identification. Organizations must take immediate action to assess their applications for susceptibility to nOAuth exploitation and implement the recommended mitigation strategies to safeguard their systems and user data.
