If you use Microsoft Office 365 products at work or at home, you should be aware of the software’s extensive vulnerability. The manner in which Microsoft Office 365 manages “federated identities” through Security Assertion Markup Language (SAML) allows online hackers to infiltrate accounts, data, e-mail messages and files within the software’s cloud. Relying on the cloud for data storage is certainly en vogue, yet more and more stories are emerging regarding the cloud’s security weaknesses. The Microsoft Office 365 vulnerability is just the latest example of the problem with a total reliance on the cloud for information storage and retrieval. Though Microsoft responded to the security exploit with a January 5 mitigation, it is still abundantly clear that cloud storage is fallible.
SAML is a standard employed by businesses and other entities to transfer authentication / authorization information. It permits a single sign-on across a number of different websites, allowing for greatly improved efficiency. Microsoft’s use of SAML version 2.0 in its Office 365 software is flawed in that it does not authenticate the element known as the NameID. As a result, the exchange takes place with other values for authentication. An example of such a value is an IDPEmail attribute. The Service Provider actually relied upon the Issuer of the Assertion yet did not perform “sanity checks” on the IDPEmail attribute value. As a result, it would easily consume assertions, under the impression that Identity Provider A had authenticated users of Identity Provider B.
Details About the Attack
The Office 365 SAML service provider implementation vulnerability was first discovered by Kakavas, a Research and Technology Network company based in Greece. The firm figured out that the software’s weakness permitted the bypassing of federated domains with cross-domain authentication. The expanse of this cyberattack has been quite vast. It encompasses Outlook Online, Skype for Business, OneDrive, OneNote and more. All in all, any Microsoft Office 365 product purchased by a company in terms of licensing is vulnerable. Malevolent individuals take advantage of the vulnerability in order to obtain access to uber-sensitive personal / corporate information. Corporate in-house documents, e-mails and more have been exposed to hackers. Organizations affected by the software’s vulnerability to domains configured as federated include Verizon, Vodafone and British Airways.
Representatives from Kakavas report that the Office 365 flaw was surprisingly simple to exploit. The bug could have been present in the software since its release to the masses, or it could have transpired at any point in the meantime. In order to take advantage of the Office 365 weakness, a hacker merely needed a trial subscription to the software along with an installation of SAML 2.0 Identity Provider. An in-depth knowledge of SAML knowledge is not required to take advantage of the flaw. Once a SAML SSO is established with Office 365, the hacker is well on his way to infiltrating the user’s / company’s data. Hackers with extensive SAML knowledge have taken the hack to the next level by devising a tool that executes the attack automatically without requiring the SAML 2.0 Identity Provider. Yet the weakness is not strictly limited to individual sign-ons with SAML. Hackers have been able to execute the attack through Active Directory Federation Services as well.
Our IT Service Can Protect Your Company’s Computer Hardware, Software and Networks
Fuelled Networks is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at (613) 828-1280 or send us an email at firstname.lastname@example.org for more information.
Published On: 10th May 2016 by Ernie Sherman.