Office 365 logo

Microsoft has fixed a cross-site scripting vulnerability in Office 365, which could theoretically have been exploited by hackers to obtain full control of a company’s email environment.
The issue was reported by the co-founder of security firm Cogmotive, Alan Byrne, in a post on the company blog. “I recently discovered a serious cross-site scripting (XSS) vulnerability in Microsoft Office 365 whilst doing a security audit of our own Microsoft Office 365 Reporting Application,” he wrote.
“Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript.”
Byrne proved the vulnerability could be exploited by posting a video guide explaining it on YouTube. He said: “At its core the exploit uses a simple cross-site scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information, which it read out of Windows Azure Active Directory.”
The Cogmotive co-founder said he had followed responsible disclosure protocol and had alerted Microsoft about the flaw before publishing his research.
“Obviously, this is a very serious security issue and I immediately reported it to Microsoft like a good white hat on 16 October 2013. We shared all of our research with the Microsoft Security team who soon confirmed the issue,” he wrote.
“It was resolved by 19 December 2013 and they have graciously allowed me to detail my findings publicly in this article.”
At the time of publishing Microsoft had not responded to V3’s request for comment on Byrne’s research.
The Office 365 vulnerability is one of many recently discovered in Microsoft’s systems and services as the firm faces a number of security issues, not least the continued hacking of its social platforms by the Syrian Electronic Army.