All Episodes

July 1, 2025 49 mins

https://youtu.be/rQxc9N4gBqA


Speaker: Eric WoodruffThroughout his 25-year career in the IT field, Eric has sought out and held a diverse range of roles. Currently the Chief Identity Architect for Semperis; Eric previously was a member of the Security Research and Product teams. Prior to Semperis, Eric worked as a Security and Identity Architect at Microsoft partners, spent time working at Microsoft as a Sr. Premier Field Engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager.Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. His security research has also been recognized by Microsoft, most notably for his findings he dubbed “UnOAuthorized”. Eric is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. Eric further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.Talk:In June 2023, Descope published research on nOAuth, a critical OpenID Connect implementation flaw that enables user account takeover in vulnerable applications. Following the disclosure, Microsoft and the Microsoft Security Response Center (MSRC) published articles on this issue, highlighting common anti-patterns and their follow-up actions with impacted application owners.Fast forward to the fall of 2024, and nOAuth remains an active security threat. In this session, we will explore its persistence, unveiling new research that builds upon Descope’s original findings to identify additional implementation flaw patterns and methods for staging the abuse. We will also discuss how we uncovered vulnerable applications, the varying responses from developers, and what this means for securing modern SaaS applications.Attendees will leave with a deeper understanding of how nOAuth attacks work, real-world examples of its exploitation, and actionable strategies to mitigate this critical risk.

Mark as Played

Advertise With Us

Popular Podcasts

Stuff You Should Know
24/7 News: The Latest

24/7 News: The Latest

The latest news in 4 minutes updated every hour, every day.

The Joe Rogan Experience

The Joe Rogan Experience

The official podcast of comedian Joe Rogan.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2025 iHeartMedia, Inc.