CyberWire Daily: nOAuth-ing to See Here [Research Saturday] – Detailed Summary

Release Date: August 2, 2025
Host: Dave Bittner
Guest: Eric Woodruff, Chief Identity Architect at Cempras
Research Topic: NoAuth Abuse – Full Account Takeover of Entra Cross-Tenant SaaS Applications

Introduction

In the August 2, 2025 episode of CyberWire Daily titled "nOAuth-ing to See Here. [Research Saturday]," host Dave Bittner engages in an insightful conversation with Eric Woodruff, Chief Identity Architect at Cempras. The discussion centers around Woodruff's recent research on a critical vulnerability in OAuth and OpenID Connect implementations that could allow attackers to impersonate legitimate users and gain unauthorized access to SaaS applications.

Understanding the NoAuth Abuse Vulnerability

Eric Woodruff introduces the core of his research, explaining a vulnerability that enables attackers to authenticate into SaaS applications as legitimate users by exploiting weaknesses in how OpenID Connect is implemented.

Eric Woodruff [01:30]:
"If an application is vulnerable to this abuse, basically, if I know like a legitimate user's email address that uses that SaaS application, there's a way I can set that email address in my own sort of attacker ENTRA tenant and then authenticate essentially into the SaaS application as the legitimate user."

Testing Methodology

Woodruff elaborates on his systematic approach to uncovering this vulnerability. By leveraging the Entra App Gallery—a catalog of application integrations using OpenID Connect—he tested various applications to identify weaknesses.

Eric Woodruff [02:08]:
"The research we're discussing today is titled NoAuth Abuse Alert Full Account Takeover of Entra Cross Tenant SaaS Applications. Can you walk us through how you went through this testing to see if your suspicions were correct?"

Woodruff ensured ethical testing by only interacting with applications he could personally sign up for, avoiding any unauthorized access or data breaches.

Identified Vulnerable Applications

During his testing, Woodruff identified a select few applications that were susceptible to this vulnerability, particularly those handling Personally Identifiable Information (PII) such as HR platforms and business collaboration tools.

Eric Woodruff [04:52]:
"There was a few systems that had PII, Right. So there was a few collaboration platforms, like you think of platforms where you might do mind mapping and diagram sharing and other sort of business collaboration."

Notably, these vulnerabilities were not confined to a specific type of software, indicating a broader issue in implementation practices.

Severity and Impact of the Vulnerability

The vulnerability is deemed severe due to its ease of exploitation and the significant potential impact it holds. Woodruff emphasizes that once exploited, the attack is virtually undetectable and offers extensive access to sensitive data.

Eric Woodruff [06:03]:
"It's a relatively easy attack to pull off... near impossible to sort of detect and... the customer really can't do anything to mitigate it."

Mitigation Challenges

Traditional security measures such as multi-factor authentication (MFA) and Cloud Access Security Brokers (CASBs) prove ineffective against this type of attack. The attacker operates from a completely different Entra tenant, bypassing standard protective mechanisms.

Eric Woodruff [07:03]:
"The attacker is coming in essentially out of band... nothing that you can do within your own Entra tenant from a traditional perspective is going to help really mitigate things."

Additionally, the lack of robust logging and integration capabilities in many SaaS applications hampers effective detection and response.

Root Causes: Standards vs. Implementation

The heart of the issue lies in the improper implementation of OpenID Connect by application vendors. While the standards themselves are robust, deviations and oversights in implementation create vulnerabilities.

Eric Woodruff [08:54]:
"The problem comes in where app vendors might not implement OpenID Connect that way and instead they may say, oh, I'm just going to look at Dave's email address... but in the Entra world, you can't guarantee that the actual email address being sent is verified by the person who's saying they own it."

This discrepancy between standards and real-world application underscores a significant gap in cybersecurity practices.

Vendor Reactions to Responsible Disclosure

Upon disclosing the vulnerability, Woodruff encountered mixed responses from SaaS vendors. While one vendor promptly addressed and resolved the issue within a week, others were unresponsive or delayed in implementing fixes.

Eric Woodruff [14:48]:
"We had one vendor who we contacted and within a week they resolved it and it was a great experience... But other vendors, you know, it was difficult to find who to contact."

This variability highlights the challenges in achieving widespread remediation across different organizations.

Recommendations and Future Directions

Woodruff advocates for several key actions to address and prevent such vulnerabilities:

Adherence to Standards: Developers should strictly follow OpenID Connect specifications, utilizing unique identifiers (subjects) instead of relying solely on email addresses for user verification.

Eric Woodruff [21:28]:
"I hope that it's created some noise potentially so that developers write, go look at their code and again, if an app vendor is not properly implementing OpenID Connect that they think about it again twice."
Enhanced Vendor Communication: Providers like Microsoft should implement additional safeguards, such as flagging applications that request email addresses, allowing organizations to assess potential risks.
Sunsetting Insecure Practices: Microsoft could phase out the use of unverified email addresses in authentication flows, eliminating the root cause of the vulnerability.

Eric Woodruff [21:28]:
"I do think that there's a place where Microsoft could eventually sunset this, right? There are ways that application developers could get email addresses if they really want them, right. And if Microsoft sunset that, it would absolutely resolve this problem within Entra ID."

Conclusion

The episode underscores a critical vulnerability arising from the misimplementation of authentication standards. Woodruff's research sheds light on the necessity for stringent adherence to OpenID Connect specifications and the importance of proactive measures by both developers and service providers to safeguard against such exploits. As the cybersecurity landscape evolves, bridging the gap between standards and their real-world applications remains imperative to protect sensitive data and maintain trust in digital systems.

Notable Quotes:

Eric Woodruff [01:30]:
"If an application is vulnerable to this abuse, basically, if I know like a legitimate user's email address that uses that SaaS application, there's a way I can set that email address in my own sort of attacker ENTRA tenant and then authenticate essentially into the SaaS application as the legitimate user."
Eric Woodruff [06:03]:
"It's a relatively easy attack to pull off... near impossible to sort of detect and... the customer really can't do anything to mitigate it."
Eric Woodruff [08:54]:
"The problem comes in where app vendors might not implement OpenID Connect that way and instead they may say, oh, I'm just going to look at Dave's email address... but in the Entra world, you can't guarantee that the actual email address being sent is verified by the person who's saying they own it."
Eric Woodruff [14:48]:
"We had one vendor who we contacted and within a week they resolved it and it was a great experience... But other vendors, you know, it was difficult to find who to contact."
Eric Woodruff [21:28]:
"I hope that it's created some noise potentially so that developers write, go look at their code and again, if an app vendor is not properly implementing OpenID Connect that they think about it again twice."
Eric Woodruff [22:51]:
"And you know how things go. They could say 20, 28 or something, right? We're going to sunset it. And people, plenty of time right between now and then to sort of change how their apps are implementing things and."

This comprehensive summary captures the essence of the podcast episode, highlighting the key points of discussion, notable insights from Eric Woodruff, and the implications of the identified vulnerability on the cybersecurity landscape.

CyberWire Daily: nOAuth-ing to See Here [Research Saturday] – Detailed Summary

Introduction

Understanding the NoAuth Abuse Vulnerability

Eric Woodruff [01:30]:
"If an application is vulnerable to this abuse, basically, if I know like a legitimate user's email address that uses that SaaS application, there's a way I can set that email address in my own sort of attacker ENTRA tenant and then authenticate essentially into the SaaS application as the legitimate user."

Testing Methodology

Eric Woodruff [02:08]:
"The research we're discussing today is titled NoAuth Abuse Alert Full Account Takeover of Entra Cross Tenant SaaS Applications. Can you walk us through how you went through this testing to see if your suspicions were correct?"

Woodruff ensured ethical testing by only interacting with applications he could personally sign up for, avoiding any unauthorized access or data breaches.

Identified Vulnerable Applications

Eric Woodruff [04:52]:
"There was a few systems that had PII, Right. So there was a few collaboration platforms, like you think of platforms where you might do mind mapping and diagram sharing and other sort of business collaboration."

Notably, these vulnerabilities were not confined to a specific type of software, indicating a broader issue in implementation practices.

Severity and Impact of the Vulnerability

Eric Woodruff [06:03]:
"It's a relatively easy attack to pull off... near impossible to sort of detect and... the customer really can't do anything to mitigate it."

Mitigation Challenges

Eric Woodruff [07:03]:
"The attacker is coming in essentially out of band... nothing that you can do within your own Entra tenant from a traditional perspective is going to help really mitigate things."

Additionally, the lack of robust logging and integration capabilities in many SaaS applications hampers effective detection and response.

Root Causes: Standards vs. Implementation

Eric Woodruff [08:54]:
"The problem comes in where app vendors might not implement OpenID Connect that way and instead they may say, oh, I'm just going to look at Dave's email address... but in the Entra world, you can't guarantee that the actual email address being sent is verified by the person who's saying they own it."

This discrepancy between standards and real-world application underscores a significant gap in cybersecurity practices.

Vendor Reactions to Responsible Disclosure

Eric Woodruff [14:48]:
"We had one vendor who we contacted and within a week they resolved it and it was a great experience... But other vendors, you know, it was difficult to find who to contact."

This variability highlights the challenges in achieving widespread remediation across different organizations.

Recommendations and Future Directions

Woodruff advocates for several key actions to address and prevent such vulnerabilities:

Adherence to Standards: Developers should strictly follow OpenID Connect specifications, utilizing unique identifiers (subjects) instead of relying solely on email addresses for user verification.

Eric Woodruff [21:28]:
"I hope that it's created some noise potentially so that developers write, go look at their code and again, if an app vendor is not properly implementing OpenID Connect that they think about it again twice."
Enhanced Vendor Communication: Providers like Microsoft should implement additional safeguards, such as flagging applications that request email addresses, allowing organizations to assess potential risks.
Sunsetting Insecure Practices: Microsoft could phase out the use of unverified email addresses in authentication flows, eliminating the root cause of the vulnerability.

Eric Woodruff [21:28]:
"I do think that there's a place where Microsoft could eventually sunset this, right? There are ways that application developers could get email addresses if they really want them, right. And if Microsoft sunset that, it would absolutely resolve this problem within Entra ID."

Conclusion

Notable Quotes:

Eric Woodruff [01:30]:
"If an application is vulnerable to this abuse, basically, if I know like a legitimate user's email address that uses that SaaS application, there's a way I can set that email address in my own sort of attacker ENTRA tenant and then authenticate essentially into the SaaS application as the legitimate user."
Eric Woodruff [06:03]:
"It's a relatively easy attack to pull off... near impossible to sort of detect and... the customer really can't do anything to mitigate it."
Eric Woodruff [08:54]:
"The problem comes in where app vendors might not implement OpenID Connect that way and instead they may say, oh, I'm just going to look at Dave's email address... but in the Entra world, you can't guarantee that the actual email address being sent is verified by the person who's saying they own it."
Eric Woodruff [14:48]:
"We had one vendor who we contacted and within a week they resolved it and it was a great experience... But other vendors, you know, it was difficult to find who to contact."
Eric Woodruff [21:28]:
"I hope that it's created some noise potentially so that developers write, go look at their code and again, if an app vendor is not properly implementing OpenID Connect that they think about it again twice."
Eric Woodruff [22:51]:
"And you know how things go. They could say 20, 28 or something, right? We're going to sunset it. And people, plenty of time right between now and then to sort of change how their apps are implementing things and."

wavePod

nOAuth-ing to see here. [Research Saturday]

Powered by Wave AI

Summary

CyberWire Daily: nOAuth-ing to See Here [Research Saturday] – Detailed Summary

Introduction

Understanding the NoAuth Abuse Vulnerability

Testing Methodology

Identified Vulnerable Applications

Severity and Impact of the Vulnerability

Mitigation Challenges

Root Causes: Standards vs. Implementation

Vendor Reactions to Responsible Disclosure

Recommendations and Future Directions

Conclusion

Summary

CyberWire Daily: nOAuth-ing to See Here [Research Saturday] – Detailed Summary

Introduction

Understanding the NoAuth Abuse Vulnerability

Testing Methodology

Identified Vulnerable Applications

Severity and Impact of the Vulnerability

Mitigation Challenges

Root Causes: Standards vs. Implementation

Vendor Reactions to Responsible Disclosure

Recommendations and Future Directions

Conclusion