Interesting bit of news today. Apparently Microsoft’s Office 365 had – for some lengthy but undisclosed period of time – a vulnerability exposing every single account to public access. This means that if your organization offloaded Exchange to O365, all your e-mails and documents were wide open for some long period of time (months? years?).
The details are here.
The short version is that there was a bug in how SAML assertions, allowing O365 to offload user identification, authentication and authorization to another system, such as on-premise ADFS for example, were processed. An attacker could consequently impersonate anyone with a bogus SAML assertion.
Wow. Just wow.
This is no different than if they had dumped plaintext passwords for all of their users.
So to everyone claiming that if we could only get rid of passwords, the world would be safe again – here’s the counter example. It doesn’t matter how you authenticate users, security bugs trump everything.
Safe computing everyone!