Two independent European security researchers have discovered a massive security flaw in Microsoft's Office 365 product that would make it possible for an attacker to gain unrestricted access to almost any business account and access company Outlook Online email accounts, Skype for Business, OneNote and OneDrive online storage.
In December 2015, Ioannis Kakavas, from the Greek Research and Technology Network, and Klemen Bratec, from Šola prihodnosti Maribor in Slovenia, notified Microsoft that they had discovered a severe vulnerability affecting how Microsoft Office 365 handles federated identities via Security Assertion Markup Language (SAML) Service Provider implementation.
SAML is a standard that is used to exchange authentication and authorisation data between parties, such as an identity provider and a service provider (in this case, Microsoft). It also makes it possible for a user to have a single sign-on between multiple web domains, such as when users log in to the online Office 365 web portal.
The researchers discovered that the flaw made it possible for an attacker to bypass cross-domain authentication on all federated domains as SAML 2.0 was failing to authenticate the subject of the assertion being passed or perform any checks, and that it would be fairly easy for the flaw to be exploited. In addition, the researchers were also able to carry out the same attack over Active Directory Federation Services.
How the flaw was possible
In order to perform the hack, all an attacker would need would be a trial subscription to Office 365 and to install a SAML 2.0 Identity Provider. When the researchers performed a search using the security flaw, instantly they saw the names of some quite well known Office 365 customers, including some who were using federated SSO (single authentication credentials) with their Office 365 subscriptions.
The companies who would be vulnerable to having their Office 365 portals breached, apart from Microsoft itself, included: IBM, Intel, Cisco, Pfizer, BT, International Monetary Fund, The Daily Mail, Telefonica, Toyota Motors North America, Pricewaterhouse Coopers (PwC), KPMG, Verizon, Vodafone, Novartis Pharma AG, Japan Airlines, Caltex Australia, City of Chicago, British Airways, Royal Dutch Shell, British Airways, Santa Clara County and Georgia State university.
Unsurprisingly, within seven hours of Kakavas and Bratec sending in their report, Microsoft fixed the vulnerability and awarded the researchers an amount close to the maximum bounty of $15,000 (£10,270) offered for discovering vulnerabilities, but the researchers have had to wait until now to be able to tell their story.
The researchers say that there is no indication that the flaw they found was ever publicly exploited, and Microsoft has not said how long the flaw was present in Office 365. However it is slightly concerning because a large number of security vulnerabilities are never reported to the public, and it is known that some hackers and even government agencies routinely discover vulnerabilities and quietly use them to their advantage for intelligence gathering.
Nevertheless, it's great that Microsoft responded so quickly to the threat and made sure to conduct a thorough investigation over the last four months before news of the flaw went live, and that any hackers who might have known about the exploit are now locked out.