Anyone hosting a Word document on their webserver can steal Microsoft Office 365 credentials due to a bug in how the cloud service attempts to authenticate users.
Adallom chief software architect Noam Liran discovered the bug, outlining how it works on his blog.
Office 365 requires users to log in to their account, and, when downloading a document from a SharePoint server, it verifies the credentials of the currently logged-in user by sending an authentication token.
The token should only be sent when the server is on the sharepoint.com domain. However, Liran found that by running his own server and sending back responses that would be expected of a legitimate SharePoint server, the user's computer would send the authentication token anyway.
"Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organisation's SharePoint Online site, download all of it, modify it, or do whatever it wants, and you will never know about it. In fact, you won't even know you got hit! It's the perfect crime," he wrote.
Adallom has created a proof of concept video demonstrating how authentication tokens can be stolen.
Microsoft has responded to the vulnerability, releasing a security bulletin.
Its advisory states that "an attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site".
It also acknowledges Liran by name.
Patches for the vulnerability were released earlier this month as part of Microsoft's Patch Tuesday release.