Feeds

Stop! Yammer time: Microsoft blats biz babble account hijacking bug

You can't touch this other users' logins, Miss Hacker

Top 5 reasons to deploy VMware with Tegile

Microsoft has fixed a potentially nasty set of authentication vulnerabilities involving Yammer, the "Facebook for business" enterprise collaboration and social networking platform.

The flaws - discovered by Ateeq Khan, a security researcher in the Vulnerability Laboratory Research Team - would have allowed hackers to bypass the token-based Yammer account authentication system, and log in as users without knowing their corresponding passwords.

Vulnerability Laboratory discovered that, thanks to an insecure implementation of OAuth2 authentication protocol on the Redmond-owned Yammer network, "it is possible to steal other user profiles by simply requesting a leaked access token", which it turns out were not difficult to find.

During testing, Khan was able to find at least two valid tokens using Google search engine cache results via nothing more elaborate than a so-called "Google Dork", a search for sensitive stuff accidentally indexed by the advertising giant. In this case: site:yammer.com inurl:'access_token'.

Further testing revealed that by including the access_token string in a subsequent HTTPS request, it was possible to log into Yammer as the victim. The session is authenticated without entering any password credentials.

"This vulnerability results in a complete compromise of the affected accounts, user profile and the associated risk is critical," an advisory from Vulnerability Laboratory warns. "Exploitation of the vulnerability requires no user interaction and also no registered Yammer account is required. To capture the session the attacker can use a random empty session as form to request."

In a statement, Microsoft said it fixed the problem last week. It said the flaws, described by Vulnerability Laboratory as "critical", had not been used in anger against its customers:

On July 30, 2013, we released an automatic update to help protect our Yammer customers. We have not detected any attacks and there is no action for customers, as they are automatically protected.

Vulnerability Laboratory produced a proof-of-concept demo of the security shortcomings it discovered in Yammer before releasing a minimalist advisory on Sunday and a video illustrating the potential for mischief (see below). The footage shows how to exploit the session token vulnerability it uncovered during its research.

Khan picked up on the vulnerability on 9 July, notifying Microsoft a day later, just less than three weeks before a fix was applied.

The security researchers suggested a number of steps that Microsoft could take towards further securing Yammer - including applying always-on encryption - and tightening up the storage of crypto secrets (such as token credentials). However it's unclear if the software giant concurs with this advice, much less whether or not it intends to apply it.

Yammer is a marketed as offering a "private social network" that's used by 200,000 leading businesses worldwide and an estimated 8 million users. Microsoft acquired Yammer last year, placing it under the umbrella of the Microsoft Office Division. ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.