Ateeq Khan, Pakistani researcher from The Vulnerability Laboratory Research team has discovered multiple critical Vulnerabilities in the Microsoft Yammer Social Network.
An OAuth bypass session token web vulnerability is detected in the official Microsoft Yammer Social Network online-service application.
OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites.
According to the advisory, The vulnerability allows remote attackers to bypass the token protection to compromise the account Auth system of the web-application.
Due to insecure implementation of OAuth on the Yammer network, so through phishing or other exploits, user requests can be directed to a malicious Server where the User can receive malicious or misleading payloads and it is possible to steal other user profiles by simply requesting a leaked access token which can be acquired from publicly accessible search engine results.
Using the Google search engine, the researchers were able to find a particular link listed publicly in the results and upon requesting that link directly in the browser, the researcher was instantly logged in as the given user with full privileges to the profile. This way, The session gets authenticated without entering the login/password credentials.
As explained by Researchers to 'The Hacker News', The variable that is revealed publicly is located in the Yammer API module in the /api/v1/messages?access_token=[Valid Token Here] parameter.
This vulnerability results in a complete compromise of the affected accounts, user profile and the associated risk are critical. Exploitation of the vulnerability requires no user interaction and also no registered Yammer account is required. To capture the session the attacker can use a random empty session as a form to request.
Proof of Concept:
The remote Auth bypass vulnerability can be exploited by a remote attacker without a privileged application user account or user interaction. For demonstration or reproduce:
- Use the following Google dork to find the valid access tokens listed publicly on the search engine cache results. Google Dork: site:yammer.com inurl:'access_token'
- Open the POC link #1 in your browser , https://www.yammer.com/api/v1/messages?access_token=NPLpzPsWdtCeXaKxBGA (You will be directly authenticated as the affected user upon requesting the link)
- Open another browser tab and visit the Yammer social network website (https://www.yammer.com)
- You will now be redirected to the user profile with full access and privileges hence proving the existence of this vulnerability.
The issue has been patched one day ago by Yammer Team. According to researcher, TLS/SSL is the recommended approach to prevent any eavesdropping during the data exchange. Search Engine bots crawling should be restricted from capturing sensitive URL parameters from user sessions. Protecting the integrity of the Client Credentials and Token Credentials works fairly well when it comes to storing them on servers.