Adallom demonstrated that exploiting an Office 365 Token Disclosure Vulnerability an attacker can steal organisations SharePoint credentials.
Adallom chief software architect Noam Liran published a very interesting post on a severe Office 365 Token Disclosure Vulnerability, the researcher demonstrated how an attacker can steal Microsoft Office 365 credentials if victims host a Word document on their webserver.
The flaw is related to the authentication method implemented by cloud service, Office 365 requests users to log in to their account to access to their online storage, and when users need to download a document from a SharePoint server, it verifies the credentials of the currently logged-in user by sending an authentication token.
Be aware, the authentication token is sent only if the server is deployed on the sharepoint.com domain, but the researcher at Adallom discovered that by running his own server and replying with responses that would be expected of a legitimate SharePoint server, the user’s computer would send the authentication token anyway.
To prof the flaw Liran wrote a really simple web server that plays back the same authentication responses provided by SharePoint Online to Word, keeping the WWW-Authenticate header with RootDomain=”sharepoint.com”. The cool thing is the the research has done it up under a domain name which isn’t sharepoint.com.
“Word regarded my web server as the quintessential sharepoint.com, and sent its Office 365 token towards my malicious web server, solely based on the this frivolous WWW-Authenticate header that said I was sharepoint.com.
My web server, programmed to work just like the original SharePoint site, gave Word a cookie for accessing SharePoint and then gave Word the document it wanted. And it was flawless. Invisible. (Gruesome.) Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organization’s SharePoint Online site, download all of it, modify it or do whatever it wants, and you will never know about it. In fact, you won’t even know you got hit! It’s the perfect crime.” he wrote.
Below the proof of concept video demonstrating how authentication tokens can be easily stolen.
Adallom has collaborated with Microsoft to discovery the flaw in Office 365 and to reproduce it, Microsoft has rated the vulnerability as important and issued a specific security bulletin.
“This security update resolves one privately reported vulnerabilityin Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site. This security update is rated Important for supported editions of Microsoft Office 2013 and Microsoft Office 2013 RT software. ” states the advisory.
The patche for the Office 365 Token Disclosure Vulnerability wea released earlier this month.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.