Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account (threatpost.com)

Posted by msmash on from the embarrassing-security-holes dept.

Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.

59 comments

  1. Why the fuck is it so complicated?! by Anonymous Coward · · Score: 2, Insightful

    Why the fuck are these authentication/authorization systems so goddamn complex?! Anyone who has worked with PAM or Kerberos or OAuth will know what I'm talking about. This is the kind of stuff that needs to be extremely simple so that it's easily understand, easily implemented, and easily verified. But what we end up with are terribly complex systems that end up being difficult for anyone to get a good grasp of, and this results in all kinds of problems.

    1. Re:Why the fuck is it so complicated?! by phantomfive · · Score: 1

      Because every company wants to have their own internal authentication system integrated with your service. That's assuming they want to use your service, of course.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Why the fuck is it so complicated?! by Anonymous Coward · · Score: 0

      PRODUCTIVITY CLOUD!

    3. Re:Why the fuck is it so complicated?! by jellomizer · · Score: 3, Insightful

      Design by committee.
      An attempt to cover all cases in one protocol = one bad protocol.

      This complexity is part of the problem of not getting more secure systems. Because the business makers ask if this or that has the feature that the other has. And you will say No it doesn't it gets nixed. Even if you never ever use such feature.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Why the fuck is it so complicated?! by phishybongwaters · · Score: 1

      Well anyone who's worked with PAM or Kerberos would understand why Federated Services are pretty much required. Or are you ok with trusting every domain you want your company to interact with?

    5. Re:Why the fuck is it so complicated?! by Opportunist · · Score: 1

      You kids and your need to give old things new names. We simply called that "Vaporware".

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Why the fuck is it so complicated?! by TechyImmigrant · · Score: 1

      The NSA put a lot of effort into undermining open security standards, having people turn up and propose things that make it more complex, leading to inevitable security holes. I've worked in standards and seen it in action myself, with individuals who never deviate from proposing things that work against simplicity or ease of implementation, or sound algorithm choices "But what about all the legacy devices that only support RC4? Here's take this cipher suite negotiation mechanism that's guaranteed to ensure these algorithms never go away". It's not like it stopped after Snowden. I can point to events in the last 6 months. For all I know every other intelligence agency is doing the same thing.

      So that's one reason why it's so complicated. There are other reasons but that's not my area of expertise.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    7. Re: Why the fuck is it so complicated?! by Anonymous Coward · · Score: 0

      Because if it was simple the NSA couldn't exploit subtle flaws for years before someone else figured it out.

      What did you think this 'move to the cloud' propaganda is really about?

    8. Re:Why the fuck is it so complicated?! by plopez · · Score: 2

      "I can point to events in the last 6 months"

      please do

      --
      putting the 'B' in LGBTQ+
  2. This is only the beginning.. by bravecanadian · · Score: 5, Interesting

    Convenience and security are always opposed. Having all your eggs in one basket sure is convenient but Office365 covers a wide variety of services in complex configurations and this sort of thing is bound to happen. It will happen to all of these big services (iCloud, Google, AWS etc.) if it hasn't already.

    A simple configuration mistake can also be amplified into a very big problem.

    And I say that as someone who thinks Office365 is helpful for my business.

  3. SAML and Federation by sexconker · · Score: 1, Flamebait

    Oh look, the federated model fails yet again.
    Can the "single sign on" zealots be tarred and feathered yet?

    "But federation works if you know what you're doing!" Sure, it (mostly) works IF there are people who know what they're doing and IF you pay them to do it and IF this is true at the end of both providers and IF you keep paying them to maintain it.

    1. Re:SAML and Federation by phishybongwaters · · Score: 1

      How is that different than any other authentication system? I think you are misunderstanding what happened and the implications. Not everyone leverages office 365. TONS of companies have implemented Federation Services. They are not the same thing.

    2. Re:SAML and Federation by JaredOfEuropa · · Score: 1

      Still beats having separate passwords (and account management) for external services. As we've seen countless times, even simple user/pass logon systems are compromised thanks to sloppy configuration.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    3. Re:SAML and Federation by Anonymous Coward · · Score: 1

      SAML isn't even remotely complicated.

      IdP = identity provider (your company)
      SP = service provider (microsoft in this case)

      you go to microsoft and try to log in, as joe@acme.comthey see if you have a cookie because you are already authenticated and you don't, so they say "well, need to auth this guy, ok, acme.com is federated to federation.acme.com/o365/", so they send you a 302 to redirect you to federation.acme.com/0365 (which can be some otehr url, it is just unique per SP since your idp probably has lots of partners)

      ok, great, now federation.acme.com/o365 checks to see if you already have an acme SSO cookie, let's say no in this case, so you have to put in your user name / password then you get authed and get a cookie for future sessions

      now you are good, so federation.acme.com/o365/ sends you an xml document signed with its private key and a 302 back to ms (this is why the /o365 at the end, otherwise it wouldn't know to send you to ms or google or dropbox or concur whatever other partners you have)

      ok, so now you go back to ms but this time have the signed xml doc (assertion) and you get in with a cookie from MS

      simple!

      now, the problem here is that you exchange public cert info with MS for acme.com and that is good for authing joe@acme.com. frank@acme.com, etc

      it shouldn't be good for authing joe@pornhub.com (assuming pornhub.com is also federated with ms)

      ms didn't check that the sent user domain was a subdomain of the tenant that signed the assertion

      that's a bad fuck up

    4. Re:SAML and Federation by sexconker · · Score: 2

      I disagree. Having one account (with unique credentials) per service is more secure. Any fuckups are limited to the scope of that service.
      For a federated model, you have to trust the implementation of the IdP and the SP. Fuckups on the SP end (usually) don't result in major problems, but fuckups on the IdP end are a spectacle for the ages.

    5. Re:SAML and Federation by sexconker · · Score: 1

      So simple one of the largest IdPs fucked it up royally.

    6. Re:SAML and Federation by Anonymous Coward · · Score: 0

      the SP fucked it up actually, please try to pay attention

    7. Re:SAML and Federation by LDAPMAN · · Score: 1

      This one is completely on the SP. Since the largest SAML implementations are all single SP with many IDPs like this one, an IDP fuckup is the lesser problem.

  4. Oh shit! by Anonymous Coward · · Score: 0

    Oh Shit!

  5. If Microsoft builds a self-driving car by phantomfive · · Score: 3, Funny

    If Microsoft builds a self-driving car, I will leave the road for a few years until they all crash. At a minimum until version 3.11.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:If Microsoft builds a self-driving car by Krojack · · Score: 0

      We all know how Microsoft doesn't follow industry standards now. The cars won't even follow the standard laws such as, they will drive on the opposite side of the road because Microsoft thinks it knows whats best.

    2. Re:If Microsoft builds a self-driving car by Anonymous Coward · · Score: 1

      If Microsoft builds a self-driving car, it will hunt you down until you "upgrade" to one.

  6. Yet Another Microsoft Security Failure by Anonymous Coward · · Score: 0

    So what else is new?

    Microsoft software - insecure at any time.

  7. not as bad as it sounds by Anonymous Coward · · Score: 0

    It is not a bad as it sounds. It is mitigated much because no one would ever be so dumb as to combine a "cloud-based service" and "very sensitive information" without also adding a very serious SLA allowing for equally serious punitive damages, now would they?

  8. Executives by 110010001000 · · Score: 2

    The executives in charge of Office 365 were sacked immediately. No wait, they were given bonuses. Never mind.

  9. Well, duh by Rosco+P.+Coltrane · · Score: 1

    Friends don't let friends use online applications to do offline jobs like text processing. Standalone office applications have no account hacking problems.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Well, duh by jfbilodeau · · Score: 1

      Really?

      https://www.google.ca/search?q...

      --
      Goodbye Slashdot. You've changed.
    2. Re:Well, duh by Anonymous Coward · · Score: 0

      That makes no sense. Office 365 IS a standalone office install. The issue is that the data stored in say Outlook can be in Exchange online - and it was exposed. Likewise OneDrive would be exposed. It has no bearing on the client itself.

    3. Re:Well, duh by sjames · · Score: 1

      But IT'S SO FLUFFY!!!!!

    4. Re:Well, duh by jfbilodeau · · Score: 1

      There's no such thing as a Office 365 install. It's web only. Are you sure you're not confusing it with Microsoft Office 201*?

      --
      Goodbye Slashdot. You've changed.
    5. Re:Well, duh by Anonymous Coward · · Score: 0

      Before posting a snarky reply such as yours, at least make sure you're not totally fucking wrong. You look like a complete shit bag.

    6. Re: Well, duh by Anonymous Coward · · Score: 0

      Sure, it's web only, except for the gigabytes downloaded to your program files folders...

  10. Fixed in 7 hours... by Anonymous Coward · · Score: 0

    The report mentions that the issue was disclosed to MS on 5th of January and fixed in 7 hours. This strikes me as odd because we literally had login issues and performance problems with Office 365's portal page on the 6th. Coincidence?

    1. Re:Fixed in 7 hours... by Anonymous Coward · · Score: 0

      Oh, you literally had login issues. Good to know that you weren't talking about hypothetical login issues. I literally woke up this morning and literally took a shit, too. I figured I'd literally tell you those events literally happened, just to avoid any confusion.

    2. Re:Fixed in 7 hours... by Anonymous Coward · · Score: 0

      You highlight one of the beauties of the english language : meanings evolve, to the point that a word can come to literally mean the opposite of its original definition.

  11. SAML is sketchy... by jopsen · · Score: 1

    SAML is so overly complicated it crazy... Of course it's full of security issues like this... Give it a few years and someone might finally do a simple spec...

    1. Re:SAML is sketchy... by Anonymous Coward · · Score: 0

      they already did

      https://openid.net/connect/

  12. Humans are the worst :) by jopsen · · Score: 3, Insightful

    Convenience and security are always opposed.

    No, not really... Because if it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox :)

    Humans are the worst security risk... If you can't eliminate the humans, your best bet is to make it as convenient as possible for them.

    We all know how to send emails safely with GPG, but unless it's very very secret we never do this, because it's inconvenient.
    The best thing we can do for security is making it convenient and to do the right thing..

    In the end, it's not the zero day software issues that's going to get you... Most of the time, it's those pesky humans that will make a mistake :)
    When talking security of systems I'm building, I always enjoy joking about how I am the biggest security threat, he he... If only I was joking.

    1. Re:Humans are the worst :) by U2xhc2hkb3QgU3Vja3M · · Score: 1

      If it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox.

      The best method is to write passwords on a post-it note attached to your monitor. Hackers will never be able to read those.

    2. Re:Humans are the worst :) by dbIII · · Score: 1

      If it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox.

      The best method is to write passwords on a post-it note attached to your monitor. Hackers will never be able to read those.

      For best security attach the note to a 120 inch monitor:
      https://en.wikipedia.org/wiki/...

  13. Re:Nonsense. OpenBSD proves you wrong. by Anonymous Coward · · Score: 0

    Sounds great. On android, if I want to share a photo: I press the camera icon, press the take picture icon. After that, I press the pic of the photo, and then press send. I choose who I want to send it to and I'm good to go.

    OpenBSD is this easy, right?

  14. Dogfood by Anonymous Coward · · Score: 1

    The list includes..Microsoft...

    That's really strange. Microsoft, of all companies, should know how buggy and insecure Microsoft products are.

  15. That's what the 'Cloud' is for by JoeyRox · · Score: 1

    To rain on your security.

  16. This is a win for cloud backup services by Anonymous Coward · · Score: 0

    Think of all the haxxors that will have cached copies of all your confidential data!!! The cloud is truly a wondrous place! Clouds, rainbows and flying unicorns! Just watch out for all the unicorn shit while your head is in the clouds.

  17. To quote from my boss... by Anonymous Coward · · Score: 1

    "If Microsoft builds a vacuum cleaner it will be the only MS product that wouldn't suck" :)

  18. Why is this "news"? by Anonymous Coward · · Score: 0

    Vulnerability found (nearly five months ago), vendor notified, vendors fixed immediately.

    Where is the story?

    1. Re:Why is this "news"? by Anonymous Coward · · Score: 0

      We need to keep track, if that's possible, of every time Microsoft fucks up.

    2. Re: Why is this "news"? by Anonymous Coward · · Score: 0

      Where's the story? The story is 'customers not notified'.

    3. Re:Why is this "news"? by Anonymous Coward · · Score: 0

      Who the fuck is WE?
      You mean the responders to this thread - who swear they do not use anything from Microsoft?

      The proper word is extreme, obnoxious, noisy minority who have zero (0) influence on their companies use of software.

      Bugger off asshole.

  19. Keep it off the cloud. by Lumpy · · Score: 3, Insightful

    Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.

    Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.

    --
    Do not look at laser with remaining good eye.
    1. Re:Keep it off the cloud. by SirAudioMan · · Score: 1

      Agreed - I've been saying this for years and will continue to say this.

    2. Re:Keep it off the cloud. by sociocapitalist · · Score: 1

      Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.

      Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.

      Thus the rise of the 'hybrid cloud'.

      --
      blindly antisocialist = antisocial
  20. It's a Feature! by Anonymous Coward · · Score: 0

    This a collaboration feature!

  21. In other news... by Psycho_Bunny · · Score: 2

    MS reiterates the private data they're stealing from Win 10 machines is perfectly safe and professionally stored on secure servers.

  22. Typical. by westlake · · Score: 0

    I am hearing a lot of snark here about a problem that was fixed about seven hours after it was properly and privately disclosed early in January --- and not much said about it publicly until the last week of April.

  23. oh. they mad? by Anonymous Coward · · Score: 0

    They want the public to share all their data but share "theirs" oh fuck.

    Microsoft. Global Mother Fucking Spyware. EOS