14 DAY TRIAL // Pakistani security researcher Ateeq Khan, a member of the Vulnerability Lab, has identified a critical OAuth bypass vulnerability in Yammer, the enterprise social network owned by Microsoft.
The company says the issue was reported to Microsoft on July 10. The Redmond company almost immediately acknowledged the existence of the flaw and addressed it at the end of the same month.
Vulnerability Lab published the details of the security hole on Sunday night and even provided a proof-of-concept video.
According to an advisory published by the company, the OAuth bypass session token vulnerability could have been leveraged to hijack any user account.
“There is no protocol support to check the authenticity of the Server during the handshakes. So essentially, through phishing or other exploits, user requests can be directed to a malicious Server where the User can receive malicious or misleading payloads,” the report reads.
“It has been discovered that due to insecure implementation of OAuth on the Yammer network, it is possible to steal other user profiles by simply requesting a leaked access token which can be acquired from publically accessible search engine results. (Google`s Cache) and or by other possible means,” it continues.
In the tests they’ve performed, the researchers had been able to gain access to valid access tokens via a simple Google search. They found that by including the access token in the HTTPS request made by the browser, they were able to log into a Yammer user’s account without needing his/her credentials.
For the attack to work there was no need for interaction on the victim’s part. In fact, the attacker didn’t even require a Yammer account.
Microsoft representatives have confirmed for Softpedia that the issue has been addressed.
“On July 30, we released an automatic update to help protect Yammer customers. We have not detected any attacks and there is no action for customers, as they are automatically protected,” a Microsoft spokesperson said via email.
The company will include Ateeq Khan on its “Security Researcher Acknowledgments for Microsoft Online Services” page in September.
Here is the POC video that shows the existence of the OAuth bypass flaw in Yammer:
