Microsoft patches Yammer hole that allowed full account takeover

Insecure implementation of authentication protocol led to vulnerability in service used by 85% of Fortune 500

Microsoft has patched a hole in Yammer that would have allowed hackers to take over user accounts with full privileges on the enterprise social network service.

Exploiting an "insecure implementation of OAuth on the Yammer network," a hacker could commandeer a users account by requesting a leaked OAuth access token that could be discovered on public search engines.

Yammer, acquired by Microsoft for $1.2 billion in June 2012, provides a service to build enterprise social networks. It is used by 200,000 companies, including 85% of the Fortune 500, and has eight million registered users, according to Yammer.

The Germany-based research outfit Vulnerability Laboratory notified Microsoft of the problem on July 10. The software giant's development team patched the hole on July 31.

Researcher Ateeq Khan wrote in his report, published publicly for the first time on Sunday, that during testing, he was "able to acquire sensitive information (valid access_tokens) using Google search engine and upon further testing it was revealed that by including the access token directly in the browser through an HTTPS request, it is possible to log on to Yammer as the affected user."

OAuth 2.0 is an authentication/authorization mechanism, more a framework than a protocol, that lets many different client types securely access RESTful APIs. Implementation anomalies, however, can lead to vulnerabilities. Facebook has had a number of such vulnerabilities creep up in its OAuth implementation.

OAuth does provide attributes that can be implemented for minimizing the likelihood of a replay attack. In the Yammer implementation, a Yammer API module holds the variable that was discoverable using the Google search engine.

"The fact that search engine bots are able to capture live user session data/sensitive URL parameters in its cache which is public accessible by everyone should be noticed and fixed immediately," the Vulnerability Labs report said.  "Also the fact that by requesting the access token directly in your browser through HTTPS, it simply logs you in the Yammer social network as the affected user, is also alarming. This vulnerability results in a complete compromise of the affected accounts, user profile and the associated risk is critical."