SaaS Apps Still Vulnerable: nOAuth Misconfiguration Madness Continues!
More than 10,000 SaaS apps could still be vulnerable to a nOAuth variant, despite the issue being disclosed in June 2023. Even with Microsoft’s guidance, this misconfiguration remains unfixable by them, leaving developers to bear the burden. Remember, nOAuth: where the only thing harder than pronouncing it is fixing it.
Hot Take:
Just when you thought your SaaS apps were safe, nOAuth slides in like a sneaky raccoon rifling through your trash! Turns out, more than 10,000 SaaS apps might be rolling out the welcome mat to this mischievous variant. With all the excitement of watching paint dry, Microsoft has decided to play the role of a wise old sage, offering advice from the mountaintop, while developers continue to wander aimlessly in the valley of potential misconfigurations. Who knew securing the digital frontier would be this thrilling?
Key Points:
- nOAuth is a sneaky misconfiguration abuse in SaaS apps interfacing with Entra ID.
- More than 10,000 SaaS apps might be open to nOAuth attacks despite a prior warning.
- Microsoft offers advice, but developers are the key players in preventing nOAuth.
- Semperis research indicates a 9% vulnerability rate in tested SaaS apps.
- nOAuth is a misconfiguration issue, not a fixable vulnerability.