Finding 365 bugs in Microsoft Office 365 – Help Net Security


Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.

During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.

What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?

I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.

How would you rate Microsoft Office 365 security in general?

Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.

Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.

What type of bugs did you find? What was the severity of the discovered issues?

I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.

When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.

What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?

Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.

Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.

When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.



Source link

Latest articles

What to consider when shopping for cyber insurance

Cyber insurance is gaining favor in the business world. An expert offers tips on how...

BazarLoader Malware Abuses Slack, BaseCamp Clouds

Two cyberattack campaigns are making the rounds using unique social-engineering techniques. Source link

Update to REvil ransomware changes Windows passwords to automate file encryption via Safe Mode

The ransomware changes the device password to "DTrump4ever" and forces the device to log in...

iOS Kids Game Morphs into Underground Crypto Casino

A malicious ‘Jungle Run’ app tricked security protections to make it into the Apple App Store, scamming users out of money with...

Related articles

Leave a reply

Please enter your comment!
Please enter your name here