Posted On : 28th November, 2019 by Deepak Naidu
We, at ViitorCloud, use the Microsoft Office 365 suite as a driver for all our daily work, communications, files management, and so on. Office 365 was selected by ViitorCloud for the sole reason of ease and access to managing everything in one place with the added benefit of security.
Working in Quality Assurance for the past 5 years has generated my interest a lot towards testing the information security due to its challenges. The itch of completely understanding any new product and using it to its full advantage never stop for me, so I went ahead and added plugins, tested all the features of Office 365, the security of files when sharing within the organization or outside where I felt confident of my data.
Out of simple curiosity, I was testing the security standards diving further and further when I identified the network-layer bug (although I am not entirely certain whether it should be considered a bug or not) which occurs during the login process. The process of login is standard, i.e. you enter your email address followed by your password.
In the image above you can see the email address that I use to log in to the Office 365 suite. When we proceed, the system prompts to enter your password.
Before I sign-in, I opened the Developer Tools (press F12 on windows) and navigated to the Network tab. In this tab I enabled the checkbox that says, “Preserve log”, enabling this will preserve all the calls which are being made to the server to and fro.
Note: You can filter the requests by selecting XHR as illustrated in the aforementioned image. XHR stands for XMLHttpRequest, which is an API in the form of an object whose methods transfer data between a web browser and a web server. If you select All, then you’d see all requests i.e. image, js, docs, etc.
Up to this stage, there are no issues at all, the real issue occurs when we click on sign-in and the system prompts whether to stay signed in?
At this stage, I looked-up for the login request in the Network tab and clicked on it to view the details. To my shock, I can see my email and password as plain text (yes, the plain text – which we, as a development company never accept for the solutions we built) which is a security flaw. I agree that someone has to open the developer tools, go to the Network tab and look for the correct request but still, there are other ways using which this critical information can be attained by unknown parties or hackers due to current vulnerability of Microsoft Office 365 login. There are free tools available in the market that can analyze the current network and store all the network request, like Wireshark. Considering that this is a Microsoft product that our organization is using came as a shock as if anyone acquired my credentials, they could just freely log in to my account to do whatever they wish.
However, there are other products who take preventive measures at all stages including even the network layer by encrypting the password before sending it to the server E.g. Google.
Here’s what happens when I try to log in to my Gmail account:
I looked at many requests in the network tab but couldn’t find any request where my password was sent in plain text. Moreover, I also couldn’t pinpoint the login request as all the request was randomly named.
So, I took it a step further and searched my email address and went through 2 requests but to my surprise, I couldn’t find my password anywhere. Even searching for my password yielded no results.
Personally, logging into Google points to a more secure authentication process when compared to Microsoft Office 365 for me.
Technology giants like Microsoft should take all preventive measures to provide top-grade security to all their users. For organizations using enterprise products/solutions like Office 365, having such security flaws, even it can be considered to be something insignificant, poses a major threat of their data and mission-critical valuable information?