Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Serious Flaw Exposed Microsoft Office 365 Accounts

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.

Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.

The vulnerability, identified by Klemen Bratec and Ioannis Kakavas, is related to the Security Assertion Markup Language (SAML), a standard used for exchanging authentication and authorization data. Microsoft uses SAML for single sign-on (SSO), an authentication process that allows users to access multiple services with a single username and password.

The SAML authority that holds information about the users is called the identity provider. The identity provider issues assertions (XML structures that contain user security information) that are consumed by the service provider when users access a resource.

Microsoft’s implementation of the SAML service provider did not perform adequate checks, allowing an attacker to provide assertions declaring that one identity provider has authenticated the users of a different identity provider.

Tests conducted by Bratec and Kakavas showed that an attacker could have logged in to a targeted user’s account by adding an entry matching the victim’s account to their own user directory. The attacker could then connect to the victim’s account by starting the authentication process on login.microsoftonline.com with their own username, and finishing the login process on the identity provider with the target’s username.

Bratec and Kakavas initially believed the flaw was limited to Microsoft’s SAML 2.0 implementation, which is mostly used in the education sector. However, further tests revealed that even domains federated using Active Directory Federation Services (ADFS) are affected.

This meant that all federated domains (i.e. domains with SSO enabled) were vulnerable, excepting those using multi-factor authentication. The list of major organizations exposed by this flaw included Microsoft, Cisco, IBM, Intel, the International Monetary Fund, Verizon, Vodafone, BT, British Airways, and the City of Chicago.

“It was pretty easy to automate this and check against company domain name lists to identify potential targets, but we did not have the time nor the inclination to do so,” the researchers explained in a blog post detailing the vulnerability.

Bratec and Kakavas discovered the vulnerability in December, and reported it to Microsoft in early January. The tech giant patched the issue within 7 hours and awarded the experts an undisclosed amount of money for their work.

Related: Microsoft, Samba Patch “Badlock” Vulnerability

Related: Microsoft Patches “Mousejack” Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...