Office 365 Bug Leaves SharePoint Users Vulnerable

Jan 6, 2014

Share this News

Just when you thought you were safe and sound in your SharePoint cocoon it turned out, just before Christmas, that there was a major bug in Microsoft Office 365 that could expose your organisation to a serious security breach.  The bug was discovered and tested by Noam Liran, chief software architect at Adallom.  Once the bug was revealed, Adallom produced a video demonstrating how it worked.  Fortunately, Microsoft quickly came out with a patch to solve the problem. According to numerous sources, the bug resides in the way SharePoint servers authenticate users.  Being that both Microsoft Office 365 and SharePoint are essentially cloud-based, anyone can attempt to log into a share point account from just about anywhere.  By using a fake server and an Office document, Liran was able to fool a user computer into sending a SharePoint security token.  The process turned out to be quite simple. When a Microsoft Office 365 user attempts to download a document from a SharePoint account, the SharePoint server verifies the authentication credentials of the Office 365 account holder and returns a security token.  That token is only supposed to be sent to a computer already on a SharePoint domain however, Liran's fake server was able to return the necessary information that would normally be expected by the Office 365 computer, allowing the token to be sent anyway. In principle, this bug could be used to exploit everything from documents to managed services.  Essentially anything on a SharePoint server could be accessed, downloaded and manipulated in any way the hacker saw fit.  The fact that it was so easy should be alarming to anyone involved in cloud computing and data centre operations.

The Cloud Computing Quagmire

This latest security bug from Microsoft Office 365 perfectly illustrates why the cloud computing concept has not enjoyed the breakout success companies like Microsoft have been hoping for.  For better or for worse, the entire cloud concept is one rife with potential security breaches that far too many business executives and IT professionals are uncomfortable with. True, there will always be security risks as long as we continue to use networked data communications.  Nevertheless, there is a long-standing axiom that cannot be ignored: the more complex a system, the greater its vulnerabilities.  Cloud computing is, by its very nature, a complex system. Moreover, regardless of whether you are talking about Microsoft Office 365, SharePoint, virtual servers or any other related technologies, there will always be more security vulnerabilities than the experts can keep up with.


That's not to say we should consider abandoning cloud computing.  It has simply to suggest that the cloud is not a one-size-fits-all solution for every business and networking need.  We need to keep as many options open to meet as many needs as possible and businesses and cloud providers need to cut their cloth accordingly.  In the meantime, security needs to always be the number one priority of all network communications.