Identity-theft vulnerability fixed in Microsoft Office 365, says security firm

Microsoft has plugged a vulnerability in Microsoft Office 365 that would have let attackers grab user identities and steal email and documents, according to Adallom, the security vendor that says it discovered the problem.

"What we found is if you sent a link to a user by email and the user opens the document, the attacker gets access to the user's tokens," says Ami Luttwak, co-founder and CTO at Adallom. The security firm that informed Microsoft about the software-as-a-service (SaaS) vulnerability, which it says took a few months to fix because of its complexity.

+ MORE ON NETWORK WORLD Cloud Security Alliance offers ultra-high cloud security plan +

Luttwak says the Office 365 "tokens" in question are the means for authentication to log into Office 365 and gain access to applications like Word or Excel. "In a general sense, it's an identity theft attack," he says. Before it was fixed, the attacker could access SaaS-based documents through any device and upload and download them at will, he says.

According to Luttwak, the token-stealing problem was basically a wider "problem with the Microsoft ecosphere" that would impact Microsoft Office 365, SharePoint and SkyDrive. Luttwak said this newer type of security problem in the cloud goes beyond Microsoft Office 365 and in fact, Adallom is working with other vendors to identify and fix similar vulnerabilities found in their SaaS applications.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: Excel, IDG, Microsoft
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Microsoft, security, cloud security alliance, endpoint security, Wide Area Network, anti-malware
All whitepapers

iPhone 6 rumour rollup for the week ending April 21

Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia