Office 365 Vulnerability Allowed Unauthorized Administrator Access

Sunday, January 19, 2014

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

Security researcher Alan Byrne has disclosed a Cross Site Scripting (XSS) vulnerability in Microsoft Office 365 that would allow an attacker to obtain administrator privileges and access to the Email and SharePoint content across the network, as well as the ability to make configuration changes.

“Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript,” Byrne wrote.

“At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory.”

Byrne produced the following video that demonstrates the exploit:

 

“Obviously, this is a very serious security issue and I immediately reported it to Microsoft like a good WhiteHat on October 16, 2013. We shared all of our research with the Microsoft Security team who soon confirmed the issue. It was resolved by December 19, 2013 and they have graciously allowed me to detail my findings publicly,” Byrne noted.

A detailed analysis of the vulnerability, the exploit, and the attack’s payload can be found here.

Cross Posted from Tripwire's State of Security

Possibly Related Articles:
10136
Vulnerabilities
Information Security
XSS vulnerability office 365 Alan Byrne
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.