Vulnerabilities ‘that have existed for years’ in WS-Trust could be exploited to attack other services such as Azure and Visual Studio.
Bugs in the multi-factor authentication system used by Microsoft’s cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system under, according to researchers at Proofpoint.
The flaws exist in the implementation of what is called the WS-Trust specification in cloud environments where WS-Trust is enabled and used with Microsoft 365, formerly called Office 365. WS-Trust is an
OASIS standard that provides extensions to WS-Security and is used for renewing and validating security tokens, brokering trust relationships – part of a secure message-exchange architecture.
The Organization for the Advancement of Structured Information Standards (OASIS), is a non-profit consortium that promotes open standards in security.
The issue, researchers said, is that WS-Trust is an “inherently insecure protocol” and that Microsoft Identity Providers (IDPs) implemented the specifications with various bugs.
“Due to the way Microsoft 365 session login is designed, an attacker could gain full access to the target’s account (including mail, files, contacts, data and more),” Itir Clarke, senior product marketing manager for Proofpoint’s Cloud Access Security Broker, in a
report posted online Tuesday. “Furthermore, these vulnerabilities could also be used to gain access to various other Microsoft- provided cloud services, including production and development environments such as Azure and Visual Studio.”
