Identity-theft vulnerability fixed in Microsoft Office 365, says security firm

Microsoft has plugged a vulnerability in Microsoft Office 365 that would have let attackers grab user identities and steal email and documents, according to Adallom, the security vendor that says it discovered the problem.

“What we found is if you sent a link to a user by email and the user opens the document, the attacker gets access to the user’s tokens,” says Ami Luttwak, co-founder and CTO at Adallom. The security firm that informed Microsoft about the software-as-a-service (SaaS) vulnerability, which it says took a few months to fix because of its complexity.

Luttwak says the Office 365 “tokens” in question are the means for authentication to log into Office 365 and gain access to applications like Word or Excel. “In a general sense, it’s an identity theft attack,” he says. Before it was fixed, the attacker could access SaaS-based documents through any device and upload and download them at will, he says.

According to Luttwak, the token-stealing problem was basically a wider “problem with the Microsoft ecosphere” that would impact Microsoft Office 365, SharePoint and SkyDrive. Luttwak said this newer type of security problem in the cloud goes beyond Microsoft Office 365 and in fact, Adallom is working with other vendors to identify and fix similar vulnerabilities found in their SaaS applications.