Office 365 bug allows hackers to steal credentials

Office 365 bug allows hackers to steal credentials

Summary: Hosting a Word document or a PowerPoint slide could be all that is needed to steal an organisation's SharePoint credentials.


Anyone hosting a Word document on their webserver can steal Microsoft Office 365 credentials due to a bug in how the cloud service attempts to authenticate users.

Adallom chief software architect Noam Liran discovered the bug, outlining how it works on his blog.

Office 365 requires users to log in to their account, and, when downloading a document from a SharePoint server, it verifies the credentials of the currently logged-in user by sending an authentication token.

The token should only be sent when the server is on the domain. However, Liran found that by running his own server and sending back responses that would be expected of a legitimate SharePoint server, the user's computer would send the authentication token anyway.

"Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organisation's SharePoint Online site, download all of it, modify it, or do whatever it wants, and you will never know about it. In fact, you won't even know you got hit! It's the perfect crime," he wrote.

Adallom has created a proof of concept video demonstrating how authentication tokens can be stolen.

Microsoft has responded to the vulnerability, releasing a security bulletin.

Its advisory states that "an attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site".

It also acknowledges Liran by name.

Patches for the vulnerability were released earlier this month as part of Microsoft's Patch Tuesday release.

Topics: Security, Enterprise Software, Microsoft

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • That's a serious security vulnerability

    Slack coding.
    Alan Smithie
  • This article is actually a disservice to users

    By creating this article with only a small blurb at the very end stating it has been resolved is a true disservice to the community. Your article makes it sound like this is an outstanding bug and users are going to freak out that their service has been compromised. If you Google your headline it's everywhere now because other companies picked it up because of the scare tactic of the headline.

    And Alan, while I agree this is an issue, you'd be surprised at the other large vendors that have similar issues. Adallom hasn't announced the others yet because they haven't been able to fix their security issues. If the writer had followed the news a week ago, here: would have been a great read to understand that this isn't just a Microsoft problem and that at least Microsoft has fixed it.
    • Yes and no

      Just because MS has released patches for it does NOT mean those impacted by it have applied said patches. The issue still bears being discussed and made known so that those exposed can verify their systems have been patched.
  • Wonderful...

    another reason not to go to the cloud -- along with all the others. This is just one bug, and apparently now fixed, but how many others are there lurking around, waiting to be discovered?

    If my data is on my computer, it will be much hard for someone to steal it.

    • I use the cloud all the time

      It's got to be done correctly, though. I have all of my sensitive information is stored on Dropbox and secured in a TruCrypt® container. When I start my system, I simply decrypt the container, it gets mounted and I have access to all of my most important files. When I unmount the TruCrypt® container, the Dropbox client software uploads the changed container file to the server. It adds a tertiary layer to my backup strategy.
  • Horrible Journalism

    The fact that this was resolved in a security patch should have been part of this headline or the first line in the article. I've lost all respect on this "scare-tactic" approach and the small one-liner at the end to address the resolution.
    • Missing the point

      Just because a vaccine is created doesn't solve the problem. You still have to get the injection. The opening lines of this article all stand the truth test if you haven't applied the appropriate patches.
  • Microsoft not a real solution for security!

    Microsoft is not a real solution for security. My business has switched back to BlackBerry after a brief attempt/trial of Nokia Windows Phone which was wildly unsuccessful. Now, with BlackBerry 10, we are happier than ever, a big step up from Windows. Just disappointed that for computing we're still stuck with Microsoft, as pricey Apple not financially reasonable!