Thousands of SaaS Apps Could Still Be Susceptible to nOAuth
Posted: Sun Jul 13, 2025 4:41 pm
New research suggests more than 10,000 SaaS apps could remain vulnerable to a nOAuth variant despite the basic issue being disclosed in June 2023.
nOAuth is best described as an abuse methodology used to target a misconfiguration or poor development practice in the interface between SaaS apps and Entra ID. The SaaS user is the victim.
It is effectively impossible for a SaaS user to know whether it is a nOAuth victim, and there are no mitigation options available. The victim may have its own extensive security controls, but nOAuth takes place between SaaS and Entra beyond the view of any local security.
https://www.securityweek.com/thousands- ... to-noauth/
nOAuth is best described as an abuse methodology used to target a misconfiguration or poor development practice in the interface between SaaS apps and Entra ID. The SaaS user is the victim.
It is effectively impossible for a SaaS user to know whether it is a nOAuth victim, and there are no mitigation options available. The victim may have its own extensive security controls, but nOAuth takes place between SaaS and Entra beyond the view of any local security.
https://www.securityweek.com/thousands- ... to-noauth/