nOAuth-ing to see here. [Research Saturday]

CyberWire Daily

N2K Networks, Inc.

Daily News, Tech News, News, Technology

4.6 • 1K Ratings

🗓️ 2 August 2025

⏱️ 24 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

This week, we are joined by Eric Woodruff, Chief Identity Architect at Semperis, discussing "nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications". Semperis researchers identified a critical authentication flaw known as nOAuth in 9 out of 104 tested SaaS applications integrated with Microsoft Entra ID. This low-complexity but severe vulnerability allows attackers with just a user’s email address and access to an Entra tenant to impersonate users, exfiltrate data, and move laterally within affected apps—with no viable defense or detection available to customers. The findings spotlight ongoing risks tied to improper use of email claims in authentication and emphasize the urgent need for SaaS vendors to adopt secure OpenID Connect practices and remediate vulnerable applications. Complete our annual ⁠audience survey⁠ before August 31. The research can be found here: nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the Cyberwire Network, powered by N2K.
0:09.7	Krogel is AI built for the enterprise SOC.
0:15.3	Fully private, schema-free, and capable of running in sensitive air-gapped environments.
0:20.6	Krogel autonomously investigates thousands of alerts weekly, correlating insights across your tools
0:26.6	without data leaving your perimeter.
0:28.6	Designed for high availability across geographies, it delivers context-aware, auditable decisions
0:34.6	aligned to your workflows.
0:36.6	Krogel empowers analysts to act faster and focus on critical threats,
0:41.1	replacing repetitive triage with intelligent automation
0:44.4	to help your SOC operate at scale with precision and control.
0:49.4	Learn more at Krogel.com.
0:51.4	That's C-R-O-G-L.com.
0:55.0	Hello, everyone, and welcome to the CyberWires Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
1:14.2	tracking down the threats and vulnerabilities,
1:17.0	solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace.
1:22.8	Thanks for joining us.
1:36.3	If an application is vulnerable to this abuse, basically if I know a legitimate user's email address that uses that CS application, there's a way I can set that email address
1:43.3	in my own sort of attacker, enter a tenant,
1:46.5	and then authenticate essentially into the SaaS application, you know, as the legitimate user.
1:52.5	So, you know, whether you want to call it spoofing or impersonation, right,
1:56.1	the end result is I'm in that SaaS application as that user and have access to, you know,
2:04.1	whatever they would have access to in that application.
	...

Transcript will be available on the free plan in 10 days. Upgrade to see the full transcript now.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.