A flaw in Microsoft Office 365 can expose account credentials by way of a Word document hosted on a webserver and is “totally invisible to existing perimeter and endpoint protection defenses,” according to researcher Noam Liran.
When a user is downloading a document from a SharePoint server, they are required to be logged in to their account. The server verifies the login credentials and issues an authentication token.
Liran discovered he could use his own server mimic the responses anticipated from a sharepoint.com domain server and elicit the generation of the token and intercept it.
“Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organisation’s SharePoint Online site, download all of it, modify it, or do whatever it wants, and you will never know about it. In fact, you won’t even know you got hit! It’s the perfect crime,” Liran explained.
Liran has provided the following proof-of-concept video outlining the technique:
“The vulnerability we’ve found and the security incident that used it have all the makings of a great crime mystery. Only through months of diligent research were we and the Microsoft Security Response Team able to piece together the elements of what might otherwise have been a perfect crime,” Liran said.
“The patch for this vulnerability is slated for December 2013′s Patch Tuesday and the vulnerability was assigned CVE-2013-5054 (and discussed in Microsoft Security Bulletin MS13-104).”
Read More Here…