Responsible Disclosure Saves Office 365 from Clever XSS Bug


More enterprises have gained awareness of cloud computing and its benefits to the business environment. This has contributed to a huge chunk of business information being stored and operated from cloud solutions. Office 365 is one such solution providing employees with a mailbox, collaborative environment and online versions of the Microsoft Office suite.

Recently, Cogmotive discovered an XSS flaw in Office 365. The hole allowed potential attackers to gain full control of a company’s entire Office 365 environment.

“At its core, the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal,” Cogmotive’s Alan Byrne writes. “The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory.”

Microsoft was briefed on this issue in October last year and they had it patched by the close of 2013. The problem was introduced with an upgrade to Wave 15 of Office 365 and demonstrates how a simple vulnerability could be worth billions of dollars in damage.

“As we move further and further into the cloud we need to be more and more aware of the potential security risks. There are some large, high profile companies now using Microsoft Office 365 and I know that they will be very concerned to hear about these types of exploits.” – Alan Byrne