Update on the "hijacking Office 365 via cookie reuse flaw"

by Henrik Walther [Published on 8 Oct. 2013 / Last Updated on 8 Oct. 2013]

An update on the infamous "Office 365 cookie hijacking flaw" and the response that were provided from the Microsoft Trustworthy Computing security team.

Several months ago, this guy posted a link on Twitter to an article, wherein he explains how he managed to hijack an Office 365 session (and other services) by re-using the cookie that is generated when logging on to the service.

This manifested in quite some hype in the media as can be seen here and here as well as in the Office 365 communities.

Although the Microsoft Trostworthy Computer security team have provided a response, I still see questions around this "issue" popping up. For that reason, I thought I would post the response from the TwC security team here:

" The Microsoft Office 365 team would like to share the following information with our customers related to the recent questions regarding potential misuse of authentication cookies[1] that are utilized as part of the service. 

What is the issue?  When a user signs out of the Office 365 service, depending on the user’s settings and the processes they have followed, their authentication cookies may persist for a period of time after sign out.  Users on a shared computer, and who have enabled the “Keep Me Signed In” checkbox during their login process are most at risk.  A subsequent user, with access to the same computer, could gain unauthorized access to a previous user’s authentication cookies.

What can I do to protect myself and my users?  Ensure all users exercise due caution when utilizing a shared computer and do not use the “Keep Me Signed In” option when doing so.  In addition users should always sign out of any applications and close the browser completely or utilize the browser delete cookies options[2].  If a user believes that their account has been compromised, they should contact their Office 365 administrator, who should temporarily disable the user’s account to allow any existing cookies to expire.  Please note that resetting a user’s password will not address this particular scenario, although it will prevent additional access after the compromised cookies expire.

What is Microsoft doing to help me?  Microsoft is continually evolving its security, and will provide updates during the regular roadmap discussions.  In addition, Microsoft Office 365 utilizes standard cookie protection mechanisms to protect against cookie theft and tampering, including the following:

  • Setting cookie expiration and authenticated session timeouts

  • Following the Microsoft standard of setting “httponly” on authentication cookies, which protects them from being stolen by Cross-Site Scripting (XSS) attacks

  • Setting the ‘secure’ flag on authentication cookies, which requires those cookies to be transmitted using SSL/TLS

Also, all Office 365 users on the most recent version of the service access their web-based data over SSL/TLS, which has proven to be effective against “Man in the Middle” attacks on their data in transit, including cookies.  A future update will offer both administrators and users two-factor authentication to help protect against account compromises.  Microsoft encourages customers to take advantage of this new security feature as soon as it’s available.  

Microsoft values your business and the trust you have placed in us to keep your data safe.  By following the suggestions provided above, customers can assist in reducing any opportunities for exposure. 


[1] http://support.microsoft.com/kb/260971

[2] http://support.microsoft.com/kb/278835

 

 

Until later,
Henrik Walther

Add Review or Comment

Featured Links