What is the vulnerability?
The vulnerability that is exploited is oAuth Bypass (Session Token) vulnerability. The Open Authorisation is a standard widely used by many sites, including the likes of Facebook and Twitter. It allows secure interaction between the sites and 3rd party apps without the user having to enter their usernames and passwords each time, so in effect delegating the authentication task which makes for a better user experience.
Is it a serious issue?
Potentially yes. The issue here was not with oAuth itself but Yammer’s implementation. The flaw was that there were no checks on the legitimacy of the server so that user requests could potentially be redirected to a malicious server, and of course by accessing a user’s profile the account, can be taken over by the perpetrator and used malignly.
Another issue raised by the researchers is that supposedly live secure sessions are being captured by search engines. It is these session tokens which are then used in the exploit. There is no real reason why this information should be collected by search engines.
What can businesses using Yammer do to protect themselves?
No action is required on behalf of Yammer customers. The process of disclosure seems to have been handled well in this case. The researchers disclosed it to the vendor, i.e. Microsoft on the July 10 and they issued an automatic fix on the July 30. It was publicly disclosed on the August 4.
