Thousands of SaaS Apps Still at Risk from nOAuth Vulnerability Attack
If you believe nOAuth is resolved, think once more. Semperis has discovered that more than 10,000 SaaS applications may still vulnerable due to oversight issues. Indeed, the initial problem concerning nOAuth was disclosed in June 2023, but it continues to persist with further developments.
Cybersecurity correspondent Kevin Townsend deeply focuses on cloud security architecture as well as threat intelligence; he investigates how tens of thousands of apps might be at risk because of a harmful blend of lackadaisical developer practices along with design flaws. For all I know, this guy hasn’t slept in days, the amount of effort he puts into unraveling intricate security problems is remarkable.
So What Exactly Is nOAuth?
You can think of nOAuth not so much as a bug per se, but rather a novel form of exploitation — it does not concern itself with accessing the application but instead how it trusts its users. It exploits a certain weak pairing between Microsoft Entra ID (formerly Azure AD) and some SaaS applications. Bad news for SaaS users, you could be an unsuspecting target.
Even if your internal security is top-notch, nOAuth dances just out of reach — right in the connection between Entra and the app. It’s like locking your house but leaving the back gate open for guests… and hoping no one sneaks in.
What Did Semperis Find?
In late 2024, Semperis researchers (yes, those folks who stay up analyzing attack surfaces so you can sleep better) focused on 104 SaaS apps listed in the Microsoft Entra Gallery. Their goal wasn’t to repeat Descope’s earlier work — which looked at apps using multiple identity providers — but to test something new: What if the app uses only Entra ID?
Turns out, even that’s enough for nOAuth abuse.
“Many developers read the earlier research and assumed, ‘Doesn’t apply to us’. Oops,” says Eric Woodruff, Chief Identity Architect at Semperis.
Of the 104 tested apps, 9 were found vulnerable — roughly 9%. Woodruff then did a bit of math (the scary kind): if the global SaaS app pool includes 150,000 apps, we could be looking at 13,500 potentially vulnerable applications.
That includes HR platforms stuffed with personal data and integrations into Microsoft 365 — which means attackers could even use nOAuth to pivot deeper into corporate networks. Yikes.
Microsoft’s Role — Or Lack Thereof
Semperis reported this to Microsoft back in December 2024. Microsoft’s Security Response Center (MSRC) looked into it, but it was quietly dropped by April 2025 – no explanation, nothing. Typical.
Now, to be fair, Microsoft *did* put out some advice on how to set things up better. But the real problem is, this isn’t something they can just fix with a software patch. It all boils down to how developers handle authentication, especially when dealing with guest accounts they haven’t properly checked and using email addresses to log in. Microsoft built a secure system, sure, but only if people use it right.
And that’s the big problem. Lots of developers are rushing to get things done, so they either miss important details or misunderstand the instructions. It’s kind of like building that flatpack furniture without reading the instructions and then wondering why you have a spare screw left over – only in this case, the “spare screw” is a huge security risk.
Out Of The Box Read: How to Protect Website Form with Proper Input Validation
Why You Should Care
Because:
- Victims don’t know they’re victims.
- Microsoft can’t fix it.
- Developers haven’t fixed it.
And most importantly, this nOAuth vulnerability remains one of the most under-the-radar threats in the SaaS landscape.
Final Thoughts from Kevin Townsend
Kevin Townsend, who has covered everything from cloud exploits to nation-state cyberwarfare, warns this isn’t something to be shrugged off. His research points out a fundamental issue: a misunderstanding between trust and authentication. And if developers don’t take heed, nOAuth will continue to lurk quietly behind countless login screens.
If you have reached to this point on this article, then it means you found it interesting. To enjoy more such interesting articles, stay tuned to MalVirus.
