Security 10809 Published by

V3 reports that vulnerability laboratory researchers discovered a flaw in Microsoft Yammer open authorisation procedures



"The vulnerability that is exploited is an oAuth Bypass (Session Token) vulnerability. oAuth is a widely used standard by many sites including Facebook and Twitter. It allows secure interaction between the sites and third-party apps without the user having to enter their usernames and passwords each time, so in effect delegating the authentication task, which makes for a better user experience," said Janus.

"The issue here was not with oAuth itself but Yammer's implementation. The flaw was that there were no checks on the legitimacy of the server so that user requests could potentially be redirected to a malicious server, and of course by accessing a user's profile the account, can be taken over by the perpetrator and used malignly."

A Microsoft spokesperson told V3 the company has already rolled out an automatic fix to address the issue.
  Bug hunters spot security flaw in Microsoft Yammer open authorisation procedures