Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.
The vulnerability, identified by Klemen Bratec and Ioannis Kakavas, is related to the Security Assertion Markup Language (SAML), a standard used for exchanging authentication and authorization data. Microsoft uses SAML for single sign-on (SSO), an authentication process that allows users to access multiple services with a single username and password.
The SAML authority that holds information about the users is called the identity provider. The identity provider issues assertions (XML structures that contain user security information) that are consumed by the service provider when users access a resource.
Microsoft’s implementation of the SAML service provider did not perform adequate checks, allowing an attacker to provide assertions declaring that one identity provider has authenticated the users of a different identity provider.
Tests conducted by Bratec and Kakavas showed that an attacker could have logged in to a targeted user’s account by adding an entry matching the victim’s account to their own user directory. The attacker could then connect to the victim’s account by starting the authentication process on login.microsoftonline.com with their own username, and finishing the login process on the identity provider with the target’s username.
Bratec and Kakavas initially believed the flaw was limited to Microsoft’s SAML 2.0 implementation, which is mostly used in the education sector. However, further tests revealed that even domains federated using Active Directory Federation Services (ADFS) are affected.
This meant that all federated domains (i.e. domains with SSO enabled) were vulnerable, excepting those using multi-factor authentication. The list of major organizations exposed by this flaw included Microsoft, Cisco, IBM, Intel, the International Monetary Fund, Verizon, Vodafone, BT, British Airways, and the City of Chicago.
“It was pretty easy to automate this and check against company domain name lists to identify potential targets, but we did not have the time nor the inclination to do so,” the researchers explained in a blog post detailing the vulnerability.
Bratec and Kakavas discovered the vulnerability in December, and reported it to Microsoft in early January. The tech giant patched the issue within 7 hours and awarded the experts an undisclosed amount of money for their work.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
