Microsoft closed cross-site scripting (XSS) vulnerability in its Office 365 edition, so the security researcher who discovered him to exp...
Microsoft closed cross-site scripting (XSS) vulnerability in its Office 365 edition, so the security researcher who discovered him to explain how it was done. Cogmotive-founder Alan Byrne details how the vulnerability can be exploited on their company blog as well as YouTube video demonstration.
This script loads up to two inline frames, each with a width and height values ​​set to 0 so that they are not really visible page. Script continue to use these two iframes to add a new user with administrative rights in the world and change the old user name back to normal .
The vulnerability stems from Microsoft's failed to clear the input fields. The default implementation of Office 365, users can change their names. Since the content of this field is not checked, users can enter HTML code. Add a new user means a temporary password sent to them, to give them everything they need to connect and fully control the organization's Office 365 implementation, including original locking administrators out.
