Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Serious Flaw Exposed Microsoft Office 365 Accounts

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.

The vulnerability, identified by Klemen Bratec and Ioannis Kakavas, is related to the Security Assertion Markup Language (SAML), a standard used for exchanging authentication and authorization data. Microsoft uses SAML for single sign-on (SSO), an authentication process that allows users to access multiple services with a single username and password.

The SAML authority that holds information about the users is called the identity provider. The identity provider issues assertions (XML structures that contain user security information) that are consumed by the service provider when users access a resource.

Microsoft’s implementation of the SAML service provider did not perform adequate checks, allowing an attacker to provide assertions declaring that one identity provider has authenticated the users of a different identity provider.

Tests conducted by Bratec and Kakavas showed that an attacker could have logged in to a targeted user’s account by adding an entry matching the victim’s account to their own user directory. The attacker could then connect to the victim’s account by starting the authentication process on login.microsoftonline.com with their own username, and finishing the login process on the identity provider with the target’s username.

Bratec and Kakavas initially believed the flaw was limited to Microsoft’s SAML 2.0 implementation, which is mostly used in the education sector. However, further tests revealed that even domains federated using Active Directory Federation Services (ADFS) are affected.

This meant that all federated domains (i.e. domains with SSO enabled) were vulnerable, excepting those using multi-factor authentication. The list of major organizations exposed by this flaw included Microsoft, Cisco, IBM, Intel, the International Monetary Fund, Verizon, Vodafone, BT, British Airways, and the City of Chicago.

“It was pretty easy to automate this and check against company domain name lists to identify potential targets, but we did not have the time nor the inclination to do so,” the researchers explained in a blog post detailing the vulnerability.

Advertisement. Scroll to continue reading.

Bratec and Kakavas discovered the vulnerability in December, and reported it to Microsoft in early January. The tech giant patched the issue within 7 hours and awarded the experts an undisclosed amount of money for their work.

Related: Microsoft, Samba Patch “Badlock” Vulnerability

Related: Microsoft Patches “Mousejack” Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...