Microsoft closes Office 365 admin access vulnerability

Microsoft closes Office 365 admin access vulnerability

Summary: The vulnerability allowed users to create administrative accounts and take over a business' Office 365 implementation.

SHARE:
5

Microsoft has closed up a cross-site scripting (XSS) vulnerability in its Office 365 offering, allowing the security researcher who discovered it to explain how it was done.

Cogmotive co-founder Alan Byrne details how the vulnerability can be exploited on his company's blog, as well as in a YouTube video demonstration.

"This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars' worth of damage. As we move further and further into the cloud, we need to be more and more aware of the potential security risks," he wrote.

The vulnerability stems from Microsoft's failure to sanitise input fields. Under the default implementation of Office 365, users are able to change their names. As the contents of this field are not checked, users can enter HTML code.

In Byrne's example, he attempts to load an image, which, when failing, will load a JavaScript file of his choosing. This executes whenever anyone attempts to view the name of the user, such as when a list of users in an organisation are viewed. While this could be used to steal individual users' sessions, Byrne has bigger plans.

He instead targets Office 365 administrators, who when logging into the Office 365 admin centre will be served a script targeted towards them.

This script loads up two inline frames, each with width and height values set to 0 so they are effectively not visible on the page. The script further uses these two iframes to add a new user with global administrative rights, and change the old user's name back to normal.

Adding a new user means a temporary password is emailed to them, providing them with everything needed to log in and take complete control of the organisation's Office 365 implementation, including locking the original administrators out.

Byrne reported the issue to Microsoft on October 16 last year, and it was resolved on December 19.

Despite running a bug bounty of its own, Office 365 is outside the scope of its program, meaning that Byrne is ineligible for a reward. Byrne has been mentioned on Microsoft's Security Researcher Acknowledgements list, however, and he has praised the tech giant for how it handled his report.

"Microsoft, to their credit, did a very good job by quickly fixing this issue and communicated effectively with me during the entire process. I've heard many horror stories from people who have reported bugs to other companies and got nowhere, leaving them with little choice but to publicly disclose the issue before it was fixed."

Topics: Security, Cloud, Microsoft

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • I know some people aren't going to read the article...

    ... So I'll just go ahead and put this here.

    "Byrne reported the issue to Microsoft on October 16 last year, and it was resolved on December 19."
    ForeverCookie
    • Microsoft fixed the issue within three months...

      ..according to Byrne, that qualifies as doing "a very good job by quickly fixing this issue".

      Without really knowing what was involved in the fix, we don't have really any other context to use to determine if that turnaround time was acceptable or not. You didn't provide any either, so what was the point of your comment?
      daftkey
      • Troll repellent.

        Also for extinguishing potential flame wars.
        ForeverCookie
        • You should know better than that...

          "Troll repellent. Also for extinguishing potential flame wars."

          Facts and coherent arguments aren't very effective Troll repellent.. looks like notomsnotonsa has already stepped away from the fry machine to get a quick quip in this comment section...
          daftkey
  • Kudos to Cogmotive co-founder Alan Byrne for bringing this to

    the Microsoft team in charge of Office 365. This could have been a huge disaster if someone else had exploited the vulnerability.
    WhoRUKiddin