Flaw in Microsoft Cloud Offering

Friday, January 24, 2014 @ 01:01 PM gHale

There could be a big cross site scripting vulnerability (XSS) in Microsoft Office 365, the cloud version of the Office suite of business software, a researcher said.

While Microsoft did patch the vulnerability, whether companies applied the patch still remains open to question. Alan Byrne, managing director of Cogmotive, a London-based Office 365 reporting firm, found the flaw when conducting a security audit of the company’s own Office 365 reporting application.

Top 10 DDoS Attack Trends
More Malware Working in Cloud
Mobile Apps Growing in DDoS Attacks
Cyber Attacks Top Threat to Nation

Any person with a mailbox in a company using Office 365, could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript, he said in a blog post.

“The malicious employee would now have access to the Email and SharePoint content of every employee in the company as well as the ability to make any configuration changes to the environment,” he said.

“Obviously, this is a very serious security issue and I immediately reported it to Microsoft like a good WhiteHat on October 16, 2013,” he said in his blog post. “We shared all of our research with the Microsoft Security team who soon confirmed the issue. It was resolved by December 19, 2013 and they have graciously allowed me to detail my findings publicly in this article.”

Byrne said in a video Web developers are used to correctly handling direct user input, but often incorrectly assume that information retrieved from a third party service is “safe” to be directly output to the browser.

“It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365. If it existed in the earlier Wave 14 version we would have noticed it during one of our previous tests. At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory,” he said in his blog post.

“The Office 365 Web portal is just like any other Web application and even uses the jQuery library. This made it relatively easy to craft an XSS string that loaded a JavaScript file from a remote web server and executed its contents,” he said.

By the time the administrator sees the XSS payload, it is too late and the code has already executed.

“This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars’ worth of damage. As we move further and further into the cloud we need to be more and more aware of the potential security risks,” Byrne said.

Leave a Reply

You must be logged in to post a comment.