There could be a big cross site scripting vulnerability (XSS) in Microsoft Office 365, the cloud version of the Office suite of business software, a researcher said.
While Microsoft did patch the vulnerability, whether companies applied the patch still remains open to question. Alan Byrne, managing director of Cogmotive, a London-based Office 365 reporting firm, found the flaw when conducting a security audit of the company’s own Office 365 reporting application.
“The malicious employee would now have access to the Email and SharePoint content of every employee in the company as well as the ability to make any configuration changes to the environment,” he said.
“Obviously, this is a very serious security issue and I immediately reported it to Microsoft like a good WhiteHat on October 16, 2013,” he said in his blog post. “We shared all of our research with the Microsoft Security team who soon confirmed the issue. It was resolved by December 19, 2013 and they have graciously allowed me to detail my findings publicly in this article.”
Byrne said in a video Web developers are used to correctly handling direct user input, but often incorrectly assume that information retrieved from a third party service is “safe” to be directly output to the browser.
“It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365. If it existed in the earlier Wave 14 version we would have noticed it during one of our previous tests. At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory,” he said in his blog post.
By the time the administrator sees the XSS payload, it is too late and the code has already executed.
“This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars’ worth of damage. As we move further and further into the cloud we need to be more and more aware of the potential security risks,” Byrne said.