IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Digital lock warning symbols cloud app icons vulnerability cloud security saas
#
MFA
#
Zero Trust Security
#
Cybersecurity

Semperis warns nOAuth flaw in Entra ID risks SaaS accounts

Today
Author image
By Melania Watson, Interview Editor

Semperis has published new research highlighting the ongoing risk posed by the nOAuth vulnerability in Microsoft's Entra ID, which may allow attackers to take over SaaS application accounts with minimal effort.

According to the research, nOAuth remains undetected by many SaaS vendors and is very difficult for enterprise customers to defend against.

The vulnerability, originally disclosed in 2023 by Omer Cohen of Descope, arises due to a flaw in how certain SaaS applications implement OpenID Connect, particularly when unverified email claims can be used as user identifiers in Entra ID app configurations. This practice contrasts with recommended OpenID Connect standards.

Semperis' follow-up investigation examined applications listed in Microsoft's Entra Application Gallery, finding that over a year after its initial disclosure, a substantial portion of applications remain vulnerable to nOAuth abuse.

Risk to enterprises

The core issue with nOAuth is that attackers require only their own Entra tenant and the email address of a target user to potentially gain full access to that person's account in a vulnerable SaaS application.

Traditional defences, including Multi-Factor Authentication (MFA), conditional access, and Zero Trust policies, do not mitigate this risk.

This presents a challenge for both developers and end-users. As Eric Woodruff, Chief Identity Architect at Semperis, explained,

"It's easy for well-meaning developers to follow insecure patterns without realising it and in many cases, they don't even know what to look for. Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat."

Through comprehensive testing of more than 100 Entra-integrated SaaS applications, Semperis identified that nearly 10% were susceptible to nOAuth exploitation. Once access is obtained via this vulnerability, attackers may exfiltrate data, maintain persistence, and potentially move laterally within the victim organisation's environment.

Detection and mitigation challenges

Detection of nOAuth abuse is exceptionally difficult, as successful attacks leave minimal traces within standard user activity logs.

Deep correlation across both Entra ID and individual SaaS platform logs is required to identify potential breaches. Semperis' research indicates that exploitation continues to be possible, despite the initial public disclosure and vendor recommendations.

Highlighting the severity of the nOAuth issue, Woodruff added,

"nOAuth abuse is a serious threat that many organisations may be exposed to. It's low effort, leaves almost no trace and bypasses end-user protections. We've confirmed exploitation is still possible in many SaaS apps, which makes this an urgent call to action. We encourage developers to implement the necessary fixes and help protect their customers before this flaw is exploited further."

Semperis has communicated its findings to both affected SaaS vendors and Microsoft, beginning in December 2024. Some vendors have taken steps to address the issue, while others reportedly remain vulnerable.

Industry response and recommendations

The Microsoft Security Response Centre (MSRC) advises SaaS application vendors to implement its security recommendations regarding user identification and OpenID Connect integration. Firms failing to comply may risk removal from the Entra Application Gallery.

Semperis continues to focus on identity threat detection, with recent announcements regarding new detection features addressing other critical vulnerabilities such as BadSuccessor and Silver SAML.

These findings exemplify ongoing risks within enterprise identity services, where configuration weaknesses in authentication protocols can present significant challenges for both software providers and their customers.

The nOAuth vulnerability underlines the importance of not only secure development practices but also continuous monitoring as enterprise reliance on SaaS and identity federation increases.

Semperis' report calls for prompt action from SaaS vendors to update their authentication implementations to address this persistent risk.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Verax launches Protect to tackle AI data leak risks for firms
ReliaQuest launches GreyMatter automation to speed threat response
KnowBe4, Microsoft partner to enhance email security with AI
Token Recovery appoints Scott Pounder to lead global operations
Snyk acquires Invariant Labs to boost AI-native app security

Top stories

Veeam named Leader in Gartner 2025 backup & data report
Tech sector faces sharp rise in AI & ransomware threats
Post-pandemic hiring finds footing as AI transforms tasks, not jobs
Backbase names Adrian McPhee CTO to lead global AI banking push
Celonis named global process mining leader by Everest Group assessment