Skip to content ↓ | Skip to navigation ↓

Security researcher Alan Byrne has disclosed a Cross Site Scripting (XSS) vulnerability in Microsoft Office 365 that would allow an attacker to obtain administrator privileges and access to the Email and SharePoint content across the network, as well as the ability to make configuration changes.

“Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript,” Byrne wrote.

“At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory.”

Byrne produced the following video that demonstrates the exploit:

“Obviously, this is a very serious security issue and I immediately reported it to Microsoft like a good WhiteHat on October 16, 2013. We shared all of our research with the Microsoft Security team who soon confirmed the issue. It was resolved by December 19, 2013 and they have graciously allowed me to detail my findings publicly,” Byrne noted.

A detailed analysis of the vulnerability, the exploit, and the attack’s payload can be found here:

Read More Here…