Microsoft closes Office 365 admin access vulnerability

The vulnerability allowed users to create administrative accounts and take over a business' Office 365 implementation.

Microsoft has closed up a cross-site scripting (XSS) vulnerability in its Office 365 offering, allowing the security researcher who discovered it to explain how it was done.

Cogmotive co-founder Alan Byrne details how the vulnerability can be exploited on his company's blog, as well as in a YouTube video demonstration.

"This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars' worth of damage. As we move further and further into the cloud, we need to be more and more aware of the potential security risks," he wrote.

The vulnerability stems from Microsoft's failure to sanitise input fields. Under the default implementation of Office 365, users are able to change their names. As the contents of this field are not checked, users can enter HTML code.

In Byrne's example, he attempts to load an image, which, when failing, will load a JavaScript file of his choosing. This executes whenever anyone attempts to view the name of the user, such as when a list of users in an organisation are viewed. While this could be used to steal individual users' sessions, Byrne has bigger plans.

He instead targets Office 365 administrators, who when logging into the Office 365 admin centre will be served a script targeted towards them.

This script loads up two inline frames, each with width and height values set to 0 so they are effectively not visible on the page. The script further uses these two iframes to add a new user with global administrative rights, and change the old user's name back to normal.

Adding a new user means a temporary password is emailed to them, providing them with everything needed to log in and take complete control of the organisation's Office 365 implementation, including locking the original administrators out.

Byrne reported the issue to Microsoft on October 16 last year, and it was resolved on December 19.

Despite running a bug bounty of its own, Office 365 is outside the scope of its program, meaning that Byrne is ineligible for a reward. Byrne has been mentioned on Microsoft's Security Researcher Acknowledgements list, however, and he has praised the tech giant for how it handled his report.

"Microsoft, to their credit, did a very good job by quickly fixing this issue and communicated effectively with me during the entire process. I've heard many horror stories from people who have reported bugs to other companies and got nowhere, leaving them with little choice but to publicly disclose the issue before it was fixed."