CyberWire Daily nOAuth-ing to see here. [Research Saturday]
23 snips
Aug 2, 2025 Eric Woodruff, Chief Identity Architect at Semperis, dives into the critical nOAuth authentication flaw affecting SaaS applications. He reveals how this vulnerability allows attackers to impersonate users with just an email address, leading to potential data breaches. The discussion highlights the urgent need for SaaS vendors to adopt more secure OpenID Connect practices. Woodruff also shares insights on the challenges of securing Active Directory and the complexities surrounding responsible disclosure in the tech industry.
AI Snips
Chapters
Transcript
Episode notes
Ethical Testing Approach
- Eric Woodruff ethically tested SaaS apps by signing in as himself to avoid impacting others.
- He simulated attacks only on his own accounts to confirm vulnerability without unauthorized access.
nOAuth Risks Span Multiple Apps
- The nOAuth vulnerability affects various SaaS apps, including those with personal identifiable information.
- No single industry vertical was consistently affected; vulnerabilities spanned multiple application types.
Severity and Undetectability of nOAuth
- The nOAuth flaw is severe due to its simplicity and near impossibility of detection.
- Organizations cannot easily detect or defend against this attack with their existing security tools.