Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365 Flaw Allowed Anyone To Log In To Almost Any Business Account (threatpost.com)

Posted by msmash on from the embarrassing-security-holes dept.

Reader msm1267 writes: A severe vulnerability in the way Microsoft Office 365 handles federated identities via SAML put an attacker in a position to have access to any account and data, including emails and files stored in the cloud-based service. Microsoft pushed through a mitigation to the service on Jan. 5, seven hours after being notified by researchers Yiannis Kakavas and Klemen Bratec. "The attack surface was quite big (Outlook Online, OneDrive, Skype for Business, OneNote -- depending on what the company has paid for in terms of licensing)," Kakavas and Bratec told Threatpost via email. "And a malicious user exploiting this vulnerability could have gained access to very sensitive private and company information (emails, internal documents etc. )." Office 365 users who had configured domains as federated were affected. The list includes British Airways, Microsoft, Vodafone, Verizon and many others, as mentioned in a report published late Wednesday.

5 of 59 comments (clear)

  1. This is only the beginning.. by bravecanadian · · Score: 5, Interesting

    Convenience and security are always opposed. Having all your eggs in one basket sure is convenient but Office365 covers a wide variety of services in complex configurations and this sort of thing is bound to happen. It will happen to all of these big services (iCloud, Google, AWS etc.) if it hasn't already.

    A simple configuration mistake can also be amplified into a very big problem.

    And I say that as someone who thinks Office365 is helpful for my business.

  2. If Microsoft builds a self-driving car by phantomfive · · Score: 3, Funny

    If Microsoft builds a self-driving car, I will leave the road for a few years until they all crash. At a minimum until version 3.11.

    --
    "First they came for the slanderers and i said nothing."
  3. Humans are the worst :) by jopsen · · Score: 3, Insightful

    Convenience and security are always opposed.

    No, not really... Because if it's not convenient then people are going to have stupid passwords, and they are going to write the passwords down in a text file and sync it over dropbox :)

    Humans are the worst security risk... If you can't eliminate the humans, your best bet is to make it as convenient as possible for them.

    We all know how to send emails safely with GPG, but unless it's very very secret we never do this, because it's inconvenient.
    The best thing we can do for security is making it convenient and to do the right thing..

    In the end, it's not the zero day software issues that's going to get you... Most of the time, it's those pesky humans that will make a mistake :)
    When talking security of systems I'm building, I always enjoy joking about how I am the biggest security threat, he he... If only I was joking.

  4. Re:Why the fuck is it so complicated?! by jellomizer · · Score: 3, Insightful

    Design by committee.
    An attempt to cover all cases in one protocol = one bad protocol.

    This complexity is part of the problem of not getting more secure systems. Because the business makers ask if this or that has the feature that the other has. And you will say No it doesn't it gets nixed. Even if you never ever use such feature.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. Keep it off the cloud. by Lumpy · · Score: 3, Insightful

    Honestly any business using the "cloud" is utterly insane. Quit being cheapskates and buy servers and software, hire an IT person at high 5 figures and take it out of the CEO's pay.

    Honestly you have to be insane to trust all your businesses secrets to a freaking cloud service.

    --
    Do not look at laser with remaining good eye.