Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Serious Flaw Exposed Microsoft Office 365 Accounts

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.

The vulnerability, identified by Klemen Bratec and Ioannis Kakavas, is related to the Security Assertion Markup Language (SAML), a standard used for exchanging authentication and authorization data. Microsoft uses SAML for single sign-on (SSO), an authentication process that allows users to access multiple services with a single username and password.

The SAML authority that holds information about the users is called the identity provider. The identity provider issues assertions (XML structures that contain user security information) that are consumed by the service provider when users access a resource.

Microsoft’s implementation of the SAML service provider did not perform adequate checks, allowing an attacker to provide assertions declaring that one identity provider has authenticated the users of a different identity provider.

Tests conducted by Bratec and Kakavas showed that an attacker could have logged in to a targeted user’s account by adding an entry matching the victim’s account to their own user directory. The attacker could then connect to the victim’s account by starting the authentication process on login.microsoftonline.com with their own username, and finishing the login process on the identity provider with the target’s username.

Bratec and Kakavas initially believed the flaw was limited to Microsoft’s SAML 2.0 implementation, which is mostly used in the education sector. However, further tests revealed that even domains federated using Active Directory Federation Services (ADFS) are affected.

This meant that all federated domains (i.e. domains with SSO enabled) were vulnerable, excepting those using multi-factor authentication. The list of major organizations exposed by this flaw included Microsoft, Cisco, IBM, Intel, the International Monetary Fund, Verizon, Vodafone, BT, British Airways, and the City of Chicago.

“It was pretty easy to automate this and check against company domain name lists to identify potential targets, but we did not have the time nor the inclination to do so,” the researchers explained in a blog post detailing the vulnerability.

Advertisement. Scroll to continue reading.

Bratec and Kakavas discovered the vulnerability in December, and reported it to Microsoft in early January. The tech giant patched the issue within 7 hours and awarded the experts an undisclosed amount of money for their work.

Related: Microsoft, Samba Patch “Badlock” Vulnerability

Related: Microsoft Patches “Mousejack” Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.