Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account

Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.

Why the fuck is it so complicated?!

Why the fuck are these authentication/authorization systems so goddamn complex?! Anyone who has worked with PAM or Kerberos or OAuth will know what I'm talking about. This is the kind of stuff that needs to be extremely simple so that it's easily understand, easily implemented, and easily verified. But what we end up with are terribly complex systems that end up being difficult for anyone to get a good grasp of, and this results in all kinds of problems.

Re:Why the fuck is it so complicated?!

[jellomizer]

Design by committee.
An attempt to cover all cases in one protocol = one bad protocol.

This complexity is part of the problem of not getting more secure systems. Because the business makers ask if this or that has the feature that the other has. And you will say No it doesn't it gets nixed. Even if you never ever use such feature.

Humans are the worst :)

[jopsen]

Convenience and security are always opposed.

No, not really... Because if it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox :)

Humans are the worst security risk... If you can't eliminate the humans, your best bet is to make it as convenient as possible for them.

We all know how to send emails safely with GPG, but unless it's very very secret we never do this, because it's inconvenient.
The best thing we can do for security is making it convenient and to do the right thing..

In the end, it's not the zero day software issues that's going to get you... Most of the time, it's those pesky humans that will make a mistake :)
When talking security of systems I'm building, I always enjoy joking about how I am the biggest security threat, he he... If only I was joking.

Keep it off the cloud.

[Lumpy]

Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.

Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.