Identity-theft vulnerability fixed in Microsoft Office 365, says security firm

Identity-theft vulnerability fixed in Microsoft Office 365, says security firm

Microsoft has plugged a vulnerability in Microsoft Office 365 that would have let attackers grab user identities and steal email and documents, according to Adallom, the security vendor that says it discovered the problem.

"What we found is if you sent a link to a user by email and the user opens the document, the attacker gets access to the user's tokens," says Ami Luttwak, co-founder and CTO at Adallom. The security firm that informed Microsoft about the software-as-a-service (SaaS) vulnerability, which it says took a few months to fix because of its complexity.

+ MORE ON NETWORK WORLD Cloud Security Alliance offers ultra-high cloud security plan +

Luttwak says the Office 365 "tokens" in question are the means for authentication to log into Office 365 and gain access to applications like Word or Excel. "In a general sense, it's an identity theft attack," he says. Before it was fixed, the attacker could access SaaS-based documents through any device and upload and download them at will, he says.

According to Luttwak, the token-stealing problem was basically a wider "problem with the Microsoft ecosphere" that would impact Microsoft Office 365, SharePoint and SkyDrive. Luttwak said this newer type of security problem in the cloud goes beyond Microsoft Office 365 and in fact, Adallom is working with other vendors to identify and fix similar vulnerabilities found in their SaaS applications.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftendpoint securityanti-malwarecloud security allianceWide Area Network

Show Comments