Dave Bittner

You're listening to the Cyberwire Network. Powered by N2, Krogle is AI built for the enterprise SOC, fully private schema, free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogle empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C R O gl.com hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Eric Woodruff

If an application is vulnerable to this abuse, basically, if I know like a legitimate user's email address that uses that SaaS application, there's a way I can set that email address in my own sort of attacker ENTRA tenant and then authenticate essentially into the SaaS application as the legitimate user. So whether you want to call it spoofing or impersonation, the end result is I'm in that SaaS application as that user and have access to, you know, whatever they would have access to in that application.

Dave Bittner

That's Eric Woodruff, Chief Identity Architect at Cempras. The research we're discussing Today is titled NoAuth Abuse Alert Full Account Takeover of Entra Cross Tenant SaaS Applications. Can you walk us us through how you went through this testing to see if your suspicions were correct?

Eric Woodruff

Yeah, so it actually kind of there was a confluence of some other research that we're doing in the Entra App Gallery, which is kind of like a catalog of application integrations. So I had read the research that Descope had performed back in 2023 and what they published, and some of the other stuff MSRC published at the time as well. The Entra Application Gallery sort of made a nice way to find applications that use OpenID Connect. Right. And so this is another sort of core requirement is that they're OpenID Connect applications. Yeah, I just started poking at a few kind of going down the list, as boring as maybe that sounds, and I happened to find one that was susceptible. So I just kind of just kept chugging away through the rest of the list that are in the Entra App.

Dave Bittner

Gallery can you walk us through how that works? I mean, how do you go about doing that and also making sure that what you're doing is ethical and also, you know, you're putting guardrails on yourself.

Eric Woodruff

Yeah. So, I mean, in the testing that we're performing, right, to make sure I'm staying within the boundaries of ethics, the only applications we tested were ones that I could sign up for a service as myself. At the time we were testing, there was 10, 17 OpenID Connect applications and I found about 104 of them. I could go sign up for a trial or sign in as myself. I'm the legitimate user, so to speak, in that application. And then I would try to create some sort of bit of data to make sure I could act as a legitimate customer of the app. And then I had a separate entra tenant where I was the attacker. But in this whole scenario, I'm only going after myself, so to speak. So I'm not actually trying to get access to something like I shouldn't have.

Dave Bittner

Sure. So what kinds of applications did you find were most vulnerable here?

Eric Woodruff

So, I mean, it's a small smattering of applications that were vulnerable. There was a few systems that had pii, Right. So there was a HR platform. If you think of something like Workday. Now, Workday wasn't one, to be clear. But we're talking a platform like that. There's a few collaboration platforms, like you think of platforms where you might do mind mapping and diagram sharing and other sort of business collaboration. There's a few that also still actually are vulnerable. So we've been sensitive to, not actually really talk about what they are, but another one that, well, I say mid June, when I last checked, that was still vulnerable, also contained pii. That would be similar to like stuff you'd find in like a. An HR application out of the nine, there wasn't anything that was necessarily, I'd say, consistent, you know, across like the vertical or type of software it is or whatnot.

Dave Bittner

Right. And you rated this vulnerability as being severe. What led you to that category?

Eric Woodruff

Well, I think because the attack itself rate, it's already essentially documented. Right. By DSCOPE when they published and then obviously, like when we published. Right. We. If you're technical, Right. You'd be able to read our findings and also. Right. Sort of figure out how it works. If you're a technical person and you know of a vulnerable application. Right. It's a relatively easy attack to pull off. It's easy to get access to an entra tenant. It's Easy to basically follow the steps to replicate it. You know, obviously you need to know of an application that is vulnerable, right? So that is the sort of wild card here. But if you did happen to have an app that was vulnerable, not only is it easy to pull off, but it's you know, as we say, near impossible to sort of detect and you know, the customer really can't do anything to mitigate it.

Dave Bittner

And is that because. Well explain to me why that is so.

Eric Woodruff

Yeah, from the mitigation perspective, all the traditional stuff one might use to try to protect applications in their entra tenant like conditional access and maybe asking for multi factor or phishing resistant auth all these common things or maybe they're using a cloud app security broker CASB solution that's looking at the traffic. The attacker is coming in essentially out of band, right. So the attacker is in a completely different entra tenant. So nothing that you can do within your own entra tenant from a traditional perspective is going to help really mitigate things. The only thing you're really left then from a detection perspective is log correlation. The theory would be well, I can take all my entra sign in logs and I can take all my SaaS application sign in logs and kind of cross correlate them, right. And basically look for SaaS application sign ins where there isn't a matching entra sign in. But that theory is great. In reality that is difficult to impossible with SaaS apps primarily because a lot of SaaS applications offer very poor logging capabilities, right. For sign in events and even ones that do, they don't really have a way to easily integrate that stuff into like a sim like Sentinel or Splunk or something. Right. So again the organization that's kind of right, stuck in the middle between Microsoft and the vulnerable SaaS app, that's our only detection and it's nothing I've ever seen anyone actually doing out in the real world. So that's why we say it's like almost next to impossible to detect.

Dave Bittner

Well, you mentioned in the research that the true mitigations lie with the app vendors themselves. Can you explain that for us?

Eric Woodruff

Yeah. Right. So I mean ultimately in you know, both Microsoft's response, right is that this is developers following anti patterns and how they implement OpenID Connect in their application. So not to get too like in the nerdy weeds here, but within OpenID Connect there is like a unique string that's generated that the identity provider. So entra can like guarantee that that string is, you know, Dave. Right. So the application can say hey, as long as I'm always getting this string in the ID token that's sent from Entra, I can guarantee that this is Dave and it's not anyone else. The problem comes in where app vendors might not implement OpenID Connect that way and instead they may say, oh, I'm just going to look at Dave's email address, right? And as long as I'm getting Dave's email, then I know this is Dave, right? But the problem becomes in the Entra world, you can't guarantee that the actual email address being sent is verified by the person who's saying they own it, so to speak. So that's where the app vendor is not following OpenID Connect specifications. This isn't just a Microsoft thing. This is actually in the spec where they say to use that unique string which is called a subject. So you kind of have this architected scenario, so to speak, where because Microsoft allows email to not have to be necessarily verified, that these two things come together to sort of create the vulnerability in the Sass app.

Dave Bittner

We'll be right back. Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing, your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com foreign hey everybody, Dave here. I've talked about Delete me before and I'm still using it because it still works. It's been a few months now and I'm just as impressed today as I was when I signed up. Delete Me keeps finding and removing my personal information from data broker sites and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it piece of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your DeleteMe plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K and is there no way for the user to know whether or not the provider is properly configuring things.

Eric Woodruff

Yeah. So unfortunately, right, the user is stuck in the middle. Unless you were to, say, go test the application for the vulnerability, there's no way, as a user or an enterprise with users to know that the app is vulnerable. Now, again, Microsoft argues there might be legitimate reasons that they want the email address. Right. And kind of is like, that's why we're not going to stop sending it as an option if SaaS applications want it. Right. Cause say, right, I go sign into a SaaS app and they say, want to actually send me an email. Right. Well, this makes it easier because we already know the person's email address. You know, I'd counter some of those arguments with, I think Microsoft could do more to potentially put something on the app integration so that customers could be aware that the app is asking for email. Right. This would be something more like that, an enterprise, it could use to, you know, determine, hey, if there's maybe some risk here. But unfortunately, Microsoft hasn't really said much about these, I guess, ideas that we had when we opened the case with them. Again, it's not an absolute. It's not going to say yes definitively. This application is vulnerable because ultimately you don't know what the application is doing with the email address until you actually authenticate to it. But it can at least sort of surface to organizations. Right. Hey, these applications are asking for this. You know, maybe we should talk to the application vendor and make sure, you know, that they're implementing OpenID Connect correctly.

Dave Bittner

Right.

Eric Woodruff

Sorry, I'm getting a bit soapboxy there, but it's okay.

Dave Bittner

You've earned it. So you mentioned the research that you did, responsible disclosure to Microsoft, but also some of these SaaS vendors. What sort of reaction did you get from them?

Eric Woodruff

Yeah, so the vendors, it was a bit of a mixed bag, which I think is interesting and maybe sad in itself, you know, as a positive. We had one vendor who we contacted and within a week they resolved it and it was a great experience, I'd say. So I don't want to sound completely negative in that. This vendor, you know, we got a hold of their data protection officer, explained the problem. I had some back and forth emails. They implemented a fix. They asked us to test again. We found there was still a vulnerability. And then they, they said, oh, yeah, like our application is, you know, sort of geographically deployed. So they fixed it in another region and then, you know, everything was buttoned up there and I would, I would love to use them. And I've I've been talking with them. I hope we can maybe sort of disclose at some point who they are. So it can kind of be like a good case of. Right. Working through this in a positive way. But other vendors. Yeah, you know, it was difficult to find who to contact. Right. And so the mix would be like, well, you know, either going on their website and looking at, you know, security or privacy or data protection policies and. Or, you know, just opening support cases and. Or just trying to spam, you know, security at, you know, company domain.com and some of them, you know, like we'd open a support case and it was open for like months and then we'd get a little more. Well, I don't want to say aggressive, right, but like, hey, like, you know, this is a pretty critical problem in your app. Right. Like in theory, if I know who any of your customers are, I could get into their data and yeah, some of the vendors, you know, there's no response from them. Right back to that. There's two of the ones that we found that are still vulnerable again, last that I checked. So.

Dave Bittner

Do you suppose that a vendor who's been alerted to this, is there a way for them behind the scenes to see if it's under active exploitation?

Eric Woodruff

I guess it probably depends on their app and how it's built and what they log and what they don't log. Right. So again, it's such a mixed bag. Right. You don't know how they're capturing the ID token or what attribute data they're pulling out of it. Right. They may or may not be able to. I mean, ultimately. Right. If they went into some sort of. Right. Debug process looking for this problem, yes, they should know it's potentially being exploited. However, ultimately I think their focus should be more on just fixing the problem. Right. Because they could say, oh well, it's not actively being exploited, but unless they actually change their code. Right. Say that, say they're not following OpenID Connect spec, there's nothing that would prevent someone from theoretically exploiting it at some point down the road.

Dave Bittner

Right. Looking at the big picture here, what does this say about the potential gap between these identity standards and their real world implementations?

Eric Woodruff

Yeah, no, I mean, I think that's a great question. Right. And it's probably filled with a lot of opinions that are subjective. I mean, like I will say, right, like authentication is tough and I'm an identity nerd and if I'm doing OAuth flows or OpenID connect stuff, I mean, I still have to go look at the diagrams and be like how is this supposed to work again? Right. And I get like the modern authentication is tough and you can't expect like every developer, right to be like an expert in authentication. But at the same time I sort of have a personal grudge, I'd say against the cybersecurity industry in the way we educate folks around authentication and identity. If you go look at a lot of the education and the focus on cybersecurity these days, there isn't a lot that tries to get into identity and authentication and things like OpenID Connect. And again, it's very dry and boring on one hand and if you just let me start talking about it, probably everyone listening would fall asleep. But it is so important obviously that people understand how this stuff works. And yeah, I mean it definitely says something about the industry, right that there's this disconnect with the standards and how they're implemented. But also I think there's a big educational gap and a big a gap in the focus. Right. On how we're building up people's knowledge around this.

Dave Bittner

Yeah. I mean ultimately whose responsibility do you suppose this is? I mean does this come down to the, to the standards groups or folks like Microsoft who are implementing it doesn't seem like the users are to blame here.

Eric Woodruff

Yeah, right. I mean in this one, absolutely not. The user's just kind of caught in the middle. I mean this thing in particular I will say is well, unfortunately unique because it's kind of like Microsoft has architected themselves into a bit of a predicament with it. Right. Because you know the standards writers, again I'm not in their mind, right when they wrote OpenID Connect, I mean, you know, going on over a decade now, Microsoft sort of took the spec and they've implemented some unique qualities that allow you to have multi tenant apps. Right. So you know, Microsoft and Google, right, they're kind of the only two big authentication providers, right where you can go to some website and there's a, you know, sign in with Microsoft, sign in with Google. I mean, you know, on consumer apps there might also be like a sign in with Facebook and but if we're really just focused on enterprise, right, they're the two where you can have that sign in with Office 365 and it doesn't matter kind of where your Entra ID that's underlying that stuff lives in Google similar and I'm not a Google expert so I don't know how they implement things but it's kind of like again this confluence of the Standard plus Microsoft building this multi tenant architecture thing and then you sprinkle in, right, this, this ability to have unverified email addresses creates like the perfect storm essentially for the no auth attack. You know, that's why like if you went and looked at something like Okta or whatnot that doesn't have this sort of concept of multi tenancy, right. It wouldn't be, you know, vulnerable to this again just because of the way it's architected. So yeah.

Dave Bittner

So what are your recommendations then? What do you hope folks take away from the research?

Eric Woodruff

Well, I mean, big picture, right? Like I hope that it's created some noise potentially so that developers write, go look at their code and again, if an app vendor is not properly implementing OpenID Connect that they think about it again twice, right? Because. Right. End of the day they don't, I would think, want their customers to be a target, right? Because the sort of resolution for customers, right, if the vendor doesn't fix it is to, you know, dump that SaaS application. I mean, I would hope that Microsoft maybe thinks about adding some sort of attribute on these applications again so that customers will at least know that this email claim is being used. And. Or I do think that there's a place where Microsoft could eventually sunset this, right? There are ways that application developers could get email addresses if they really want them, right. That don't have to come in this way. And if Microsoft sunset that, it would absolutely resolve this problem within Entra id. Right. And you know how things go. They could say 20, 28 or something, right? We're going to sunset it. And people, plenty of time right between now and then to sort of change how their apps are implementing things and.

Dave Bittner

Then extend it and then extend it. Meanwhile, back in the real world. Foreign. Our thanks to Eric Woodruff from Semprus for joining us. The research is titled no auth Abuse Full Account Takeover of entra Cross tenant SaaS applications. We'll have a link in the show notes. That is Research Saturday brought to you by N2K Cyberwire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of this summer. There's a link in the show Notes. Please do check it out. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Eric Woodruff

Sam.