Title: Office 365 - Account Hijacking Cookie Re-Use Flaw, extended=20 Vendor: - Microsoft Products affected: - Office 365 E3 package (version as of February 22nd, 2014) - Sharepoint Online Services Abstract: The well-known account hijacking through cookie re-use flaw was = originally reported in July 2013 by Prof. Sam Bowne and discussed in = several forums:=20 = http://www.networkworld.com/community/blog/hijacking-office-365-and-other-= major-services-cookie-re-use-flaw = http://thehackernews.com/2012/12/hotmail-and-outlook-cookie-handling.html = http://www.klocwork.com/blog/software-security/cookie-reuse-flaw-exposes-u= sers-of-office-365-other-web-services/ As well as the original vulnerability hasn=92t beed closed as of this = report, there is another serious impact on defeating this vulnerability: - Changing the password of the user will not invalidate the stolen = cookie - Blocking the account (user lockout) will not work as well This allows an attacker to hijack the user account for at least 23 years = until the account has been deleted completely. Steps to reproduce: * Pre-requisites: - Office 365 account (E3 package with Sharepoint Services) - As malicious system: Windows O/S Client and Interner Explorer 9 to = 11 or Firefox 25+=20 (Other OSes and Browsers not yet tested), cookies shall not be = deleted upon closing the browser.=20 - only password authentication used (default) * Preparation Steps: 1) The user logs on using an untrusted device (eg. Internet Caf=E9) to = office365 via the official microsoft online portal login.onmicrosoft.com = with the setting =84keep me signed on=93 2) The user now navigates to his allowed team websites at sharepoint = services eg. replacethiswithyourtestsite.onmicrosoft.com 3) The user now leaves the untrusted device by either shutting down the = computer, closing the browser or just logging off only from the os, = with a) not logging off from microsoft portal properly b) and not cleaning his cookies * Well-known first part - Cookie re-use flaw: 4) A malicious user (eve) can use the (confidential) sharepoint url = simply by re-using the cookie. 5) =46rom a valid Sharepoint Online Services access all other services = can be accessed (OWA, Skydrive ,etcetera) whilst refreshing their = credential cookies * The flaw extension - can=92t lockout the attacker: 6) If the user might be aware of its failure or a misuse is detected, = the user might try to change its password or let the administrator reset = the users password or 7) The administrator might decide to block the account from connecting = using the OAC. 8) In both ways, the stolen cookie will still be accepted (see steps 4 = to 5) Vendor response: - The issue has been reported to microsoft in several ways:=20 - Ticket 1235308167 (Microsoft support USA)=20 - Ticket 201402160322129434 (Microsoft Partner Support Germany) - Ticket 114021011169872 (Microsoft Office Online User Support = Germany) - No solution offered so far, but issue was acknowledged by Microsoft = Partner Support Germany Workarounds: - For forensic reasons it might be not recommended, but at this time I = don=92t see any other solution, the only way is to delete the attacked = account completely. - This way is congruent with the workaround Microsoft offers as = solution in his online forum=20 O.E.I.-Beratung G=E9ry Oei Tersteegenstr. 9 42579 Heiligenhaus Germany