Title: Office 365 - Account Hijacking Cookie Re-Use Flaw, extended Vendor: - Microsoft Products affected: - Office 365 E3 package (version as of February 22nd, 2014) - Sharepoint Online Services Abstract: The well-known account hijacking through cookie re-use flaw was originally reported in July 2013 by Prof. Sam Bowne and discussed in several forums: http://www.networkworld.com/community/blog/hijacking-office-365-and-other-major-services-cookie-re-use-flaw http://thehackernews.com/2012/12/hotmail-and-outlook-cookie-handling.html http://www.klocwork.com/blog/software-security/cookie-reuse-flaw-exposes-users-of-office-365-other-web-services/ As well as the original vulnerability hasn’t beed closed as of this report, there is another serious impact on defeating this vulnerability: - Changing the password of the user will not invalidate the stolen cookie - Blocking the account (user lockout) will not work as well This allows an attacker to hijack the user account for at least 23 years until the account has been deleted completely. Steps to reproduce: * Pre-requisites: - Office 365 account (E3 package with Sharepoint Services) - As malicious system: Windows O/S Client and Interner Explorer 9 to 11 or Firefox 25+ (Other OSes and Browsers not yet tested), cookies shall not be deleted upon closing the browser. - only password authentication used (default) * Preparation Steps: 1) The user logs on using an untrusted device (eg. Internet Café) to office365 via the official microsoft online portal login.onmicrosoft.com with the setting „keep me signed on“ 2) The user now navigates to his allowed team websites at sharepoint services eg. replacethiswithyourtestsite.onmicrosoft.com 3) The user now leaves the untrusted device by either shutting down the computer, closing the browser or just logging off only from the os, with a) not logging off from microsoft portal properly b) and not cleaning his cookies * Well-known first part - Cookie re-use flaw: 4) A malicious user (eve) can use the (confidential) sharepoint url simply by re-using the cookie. 5) From a valid Sharepoint Online Services access all other services can be accessed (OWA, Skydrive ,etcetera) whilst refreshing their credential cookies * The flaw extension - can’t lockout the attacker: 6) If the user might be aware of its failure or a misuse is detected, the user might try to change its password or let the administrator reset the users password or 7) The administrator might decide to block the account from connecting using the OAC. 8) In both ways, the stolen cookie will still be accepted (see steps 4 to 5) Vendor response: - The issue has been reported to microsoft in several ways: - Ticket 1235308167 (Microsoft support USA) - Ticket 201402160322129434 (Microsoft Partner Support Germany) - Ticket 114021011169872 (Microsoft Office Online User Support Germany) - No solution offered so far, but issue was acknowledged by Microsoft Partner Support Germany Workarounds: - For forensic reasons it might be not recommended, but at this time I don’t see any other solution, the only way is to delete the attacked account completely. - This way is congruent with the workaround Microsoft offers as solution in his online forum O.E.I.-Beratung Géry Oei Tersteegenstr. 9 42579 Heiligenhaus Germany