Serious Flaw Exposed Microsoft Office 365 Accounts
Researchers discovered a severe cross-domain authentication bypass vulnerability that could have been exploited by malicious actors to gain access to Office 365 accounts, including email and files. Microsoft patched the issue within 7 hours after learning of its existence.
The vulnerability, identified by Klemen Bratec and Ioannis Kakavas, is related to the Security Assertion Markup Language (SAML), a standard used for exchanging authentication and authorization data. Microsoft uses SAML for single sign-on (SSO), an authentication process that allows users to access multiple services with a single username and password.
The SAML authority that holds information about the users is called the identity provider. The identity provider issues assertions (XML structures that contain user security information) that are consumed by the service provider when users access a resource.
Microsoft’s implementation of the SAML service provider did not perform adequate checks, allowing an attacker to provide assertions declaring that one identity provider has authenticated the users of a different identity provider.
Tests conducted by Bratec and Kakavas showed that an attacker could have logged in to a targeted user’s account by adding an entry matching the victim’s account to their own user directory. The attacker could then connect to the victim’s account by starting the authentication process on login.microsoftonline.com with their own username, and finishing the login process on the identity provider with the target’s username.
Bratec and Kakavas initially believed the flaw was limited to Microsoft’s SAML 2.0 implementation, which is mostly used in the education sector. However, further tests revealed that even domains federated using Active Directory Federation Services (ADFS) are affected.
This meant that all federated domains (i.e. domains with SSO enabled) were vulnerable, excepting those using multi-factor authentication. The list of major organizations exposed by this flaw included Microsoft, Cisco, IBM, Intel, the International Monetary Fund, Verizon, Vodafone, BT, British Airways, and the City of Chicago.
“It was pretty easy to automate this and check against company domain name lists to identify potential targets, but we did not have the time nor the inclination to do so,” the researchers explained in a blog post detailing the vulnerability.
Bratec and Kakavas discovered the vulnerability in December, and reported it to Microsoft in early January. The tech giant patched the issue within 7 hours and awarded the experts an undisclosed amount of money for their work.