Identity, DevOps, Vulnerability Management

SaaS applications vulnerable to account theft flaw ‘n0Auth’

Scam fraud security warning crime internet technology phishing online alert digital risk protection threat background with danger message spam cyber concept hacking attack email sms caution symbol

(Adobe Stock)

A known vulnerability in software-as-a-service (SaaS) platforms is leaving users vulnerable to account theft.

Known as n0Auth, the vulnerability allows an attacker to take over a targeted account armed only with a target’s email address to access their account on applications using the Microsoft Entra service.

According to researchers with security firm Semperis, around 9% of the SaaS applications it tested were found to be vulnerable to the flaw.

“With only access to an Entra tenant — a low barrier — and the target user’s email address, an attacker can take over that user’s account in the vulnerable application,” noted Eric Woodruff, chief identity architect for Semperis.

“From there, the attacker can access all the data that the target has access to within that application.”

While the n0Auth flaw itself has been known since June of 2023, the extent to which SaaS applications were still vulnerable was not yet known, particularly when it comes to applications that rely on Entra.

The flaw, which lies in the way SaaS apps handle user authentication, allows a threat actor with a local account to spoof the email addresses of other users during the authentication process and gain access to their accounts.

Woodruff told SC Media that in a typical attack scenario, the threat actor would likely single out specific applications then attempt to use the vulnerability to harvest user account data for ransom or exfiltration.

“The threat is going to be somewhat relative to the application’s purpose. That is, what the application is designed for and what the company uses it for,” Woodruff explained.

“In the example of our finding a vulnerable HR application, you could draw a conclusion that data exfil would be the primary goal. We know attackers don’t really have boundaries so it wouldn’t be unreasonable to believe that they could use it for further reconnaissance, threaten to sell it off or silently sell it off.”

Woodruff noted that the flaw is particularly ominous in applications that integrate with the Microsoft 365 platform. In those cases, an attacker could turn a compromised account into a much larger data exposure by accessing apps such as Exchange Online.

“We know attackers love to move into Microsoft 365, especially EXO. These integrations would offer stealthy ways to act as the user, being able to possibly interact with the users calendar and mailbox, creating a variety of BEC and data exfiltration scenarios,” Woodruff explained.

“A threat actor could use these systems to either target the customer or use it as a proxy for other BEC type activities, using the customer as a trusted source.”

Semperis said that while customers can take some basic steps to protect themselves, such as integrating multi-factor authentication, it is up to the SaaS application developers themselves to fully guard against n0Auth attacks by integrating best practices such as not relying solely on email address for user identification.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.
Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBiometricsBugBuffer OverflowCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Digest AuthenticationDigital CertificateDisassemblyDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds