Defenders hate it! Compromise vulnerable SaaS applications with this one weird trick
Eric Woodruff
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Eric Woodruff, Chief Identity Architect at Semperis, presents a deep investigation into **nOAuth** -- a two-year-old vulnerability class in applications using **OpenID Connect (OIDC)** with Microsoft Entra ID that remains actively exploitable today. The vulnerability allows an attacker to impersonate any user in a SaaS application simply by knowing their email address. Woodruff's research extends the original 2023 disclosure by **Descope** by demonstrating that the vulnerability is not limited to cross-identity-provider attacks but works as a **cross-tenant attack within Entra ID itself**. Testing 104 applications from the Entra Gallery, he found **9 (8.6%) were vulnerable**, including an HR platform full of PII, applications with Office 365 integrations enabling mail access, and platforms claiming 45,000+ customers. Despite coordinated disclosure with MSRC spanning over six months, Microsoft continues to characterize this as a developer problem, leaving customers with no visibility into whether the SaaS applications they rely on are vulnerable.
AI review
A two-year-old vulnerability that everyone thought was fixed -- it wasn't. Woodruff demonstrates that nOAuth account takeover in SaaS apps via spoofed email claims is alive and well, finding 8.6% of tested Entra Gallery apps still vulnerable, including HR platforms swimming in PII and apps with O365 integrations that pivot directly into mailboxes. The attack is trivial, detection is essentially impossible, and Microsoft's response has been to shrug. That's a dangerous combination.