Office 365 bug allows hackers to steal credentials

Summary:Hosting a Word document or a PowerPoint slide could be all that is needed to steal an organisation's SharePoint credentials.

Anyone hosting a Word document on their webserver can steal Microsoft Office 365 credentials due to a bug in how the cloud service attempts to authenticate users.

Adallom chief software architect Noam Liran discovered the bug, outlining how it works on his blog.

Office 365 requires users to log in to their account, and, when downloading a document from a SharePoint server, it verifies the credentials of the currently logged-in user by sending an authentication token.

The token should only be sent when the server is on the sharepoint.com domain. However, Liran found that by running his own server and sending back responses that would be expected of a legitimate SharePoint server, the user's computer would send the authentication token anyway.

"Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organisation's SharePoint Online site, download all of it, modify it, or do whatever it wants, and you will never know about it. In fact, you won't even know you got hit! It's the perfect crime," he wrote.

Adallom has created a proof of concept video demonstrating how authentication tokens can be stolen.

Microsoft has responded to the vulnerability, releasing a security bulletin.

Its advisory states that "an attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site".

It also acknowledges Liran by name.

Patches for the vulnerability were released earlier this month as part of Microsoft's Patch Tuesday release.

Topics: Security, Enterprise Software, Microsoft

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.