Potentially major XSS/JavaScript flaw found in Office 365

News by Steve Gold

Microsoft Office 365's security outlook: cloudy

Minor security flaws in Microsoft Office 365 - the cloud version of the popular Office suite of business software - are nothing new, but a researcher claims to have spotted a potentially serious XSS (Cross Site Scripting) vulnerability in the software/service.

According to Alan Byrne, managing director of Cogmotive, the London-based Office 365 reporting firm, he and his team discovered the flaw when conducting a security audit of the company's own Microsoft Office 365 reporting application.

Any person with a mailbox in a company using Office 365, he says in his latest security posting, could exploit this vulnerability to obtain full Administrative permissions over their entire company's Office 365 environment using just a few lines of JavaScript.

"The malicious employee would now have access to the Email and SharePoint content of every employee in the company as well as the ability to make any configuration changes to the environment," he said, adding that he reported the problem to Microsoft in October, since when it has been patched.

Posting a video of his findings to YouTube  Byrne notes that Web developers are used to correctly handling direct user input, but often incorrectly assume that information retrieved from a third party service is “safe” to be directly output to the browser.

"It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365. If it existed in the earlier Wave 14 version we would have noticed it during one of our previous tests. At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory," he says in his analysis .

"The Office 365 Web portal is just like any other Web application and even uses the jQuery library. This made it relatively easy to craft an XSS string that loaded a JavaScript file from a remote web server and executed its contents," he adds.

By the time the administrator sees the XSS payload, he goes on to say, it is too late and the code has already been executed.

Malicious use?

"This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars' worth of damage. As we move further and further into the cloud we need to be more and more aware of the potential security risks. There are some large, high profile companies now using Microsoft Office 365 and I know that they will be very concerned to hear about these types of exploits," he says.

"No-one knows if someone much more malicious discovered this bug before I did and has used it for profit by extracting sensitive information," he adds.

Commenting on the flaw - and the fact that the XSS/JavaScript issue has been fixed - Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, said that it demonstrates just how vulnerable trusted services can be, where they are taken out of the organisation, and which are fully dependent on a third party service.

"It's also, of course, about the smartness, and complexities of these types of implementations that, by inference can increase their exposure," he said, adding that 'cleverness' always tends to arrive with an increased opportunity of compromise.

Professor Walker, who is also CTO of IT security consultancy Integral Security Xssurance, went on to say that this type of security event also serves to reinforces the fact that, even when the business outsources and subscribe to some remote service - or provision of applications - security is still very much a matter of internal interest, and ownership.

"The bottom line here is that security can never be truly outsourced if you care about your business," he concluded.

According to Fran Howarth, a senior security analyst with Bloor Research, Cross-Site Scripting remains a serious security risk and is consistently singled out as one of the most important vulnerabilities - including the OWASP list of the top 10 vulnerabilities - to guard against.

"The extent of this vulnerability found indicates just how serious it is as any company using Office 365 could potentially see a highly damaging data loss as a result of this vulnerability being exploited. This also shows the importance of ensuring that security patches issued by vendors are applied in a timely manner," she said.

Radek Dymacz, Head of R&D with secure hosting provider Databarracks, told SCMagazineUK.com that Microsoft has a long history of security vulnerabilities - so this latest report does not come as a surprise.

“The knee-jerk reaction is to treat this as ‘another cloud security problem' but really, it's the same problem we've always seen. This vulnerability didn't affect all customers across the Office 365 platform so it was just like an old problem like you would see with on-premise IT,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews