Bug hunters spot security flaw in Microsoft Yammer open authorisation procedures

A security flaw in Microsoft Yammer's open authorisations standards (oAuth) has been uncovered by bug hunters.
The flaw was revealed by Vulnerability Laboratory researchers on the Full Disclosure forum and relates to the technology used by Yammer to allow secure interactions with third-party apps. Kaspersky security researcher Marta Janus told V3 the vulnerability theoretically could leave Yammer users open to attack by cyber criminals.
"The vulnerability that is exploited is an oAuth Bypass (Session Token) vulnerability. oAuth is a widely used standard by many sites including Facebook and Twitter. It allows secure interaction between the sites and third-party apps without the user having to enter their usernames and passwords each time, so in effect delegating the authentication task, which makes for a better user experience," said Janus.
"The issue here was not with oAuth itself but Yammer's implementation. The flaw was that there were no checks on the legitimacy of the server so that user requests could potentially be redirected to a malicious server, and of course by accessing a user's profile the account, can be taken over by the perpetrator and used malignly."
A Microsoft spokesperson told V3 the company has already rolled out an automatic fix to address the issue. "On July 30, 2013, we released an automatic update to help protect our Yammer customers. We have not detected any attacks and there is no action for customers, as they are automatically protected," said the spokesperson.
Janus praised Microsoft for its rapid response but warned the discovery does still have some troubling implications, regarding what data Yammer stores. "The process of disclosure seems to have been handled well in this case. The researchers disclosed it to the vendor – Microsoft – on 10 July 2013 and they issued an automatic fix on 30 July and then it was publicly disclosed," said Janus.
"Another issue raised by the researchers is that supposedly live secure sessions are being captured by search engines. It is these session tokens which are then used in the exploit. There is no real reason why this information should be collected by search engines."
Full disclosure has been a hot topic in the security community for decades, with many divided over how vulnerability researchers should responsibly disclose their findings.
Most recently Apple software hacker Charlie Miller released a white paper detailing how to hack moving cars, saying he hoped the release would motivate researchers to fix ongoing problems in smart car security procedures.