View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
August 9, 2013

Guest Blog: Yammer vulnerabilities

Marta Janus, security researcher at Kaspersky Lab, talks to CBR about how Microsoft’s social network was at risk prior to fix.

By Cbr Rolling Blog

Marta Janus

What is the vulnerability?

The vulnerability that is exploited is oAuth Bypass (Session Token) vulnerability. The Open Authorisation is a standard widely used by many sites, including the likes of Facebook and Twitter. It allows secure interaction between the sites and 3rd party apps without the user having to enter their usernames and passwords each time, so in effect delegating the authentication task which makes for a better user experience.

Is it a serious issue?

Potentially yes. The issue here was not with oAuth itself but Yammer’s implementation. The flaw was that there were no checks on the legitimacy of the server so that user requests could potentially be redirected to a malicious server, and of course by accessing a user’s profile the account, can be taken over by the perpetrator and used malignly.

Another issue raised by the researchers is that supposedly live secure sessions are being captured by search engines. It is these session tokens which are then used in the exploit. There is no real reason why this information should be collected by search engines.

What can businesses using Yammer do to protect themselves?

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

No action is required on behalf of Yammer customers. The process of disclosure seems to have been handled well in this case. The researchers disclosed it to the vendor, i.e. Microsoft on the July 10 and they issued an automatic fix on the July 30. It was publicly disclosed on the August 4.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.