Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Cross Domain Authentication Bypass in Office 365 (economyofmechanism.com)
12 points by jc_811 on April 27, 2016 | hide | past | favorite | 3 comments


Out of all the service providers I've worked with, microsoft's been the worst. Few years ago I was amazed that I could literally brute force an o365 admin account via powershell and it would never lock the account and of course there was no way to enable 2fa for the account...


This is impressively bad. Literally Office365 let you simply claim to be anyone you wanted to via SAML. They didn't bother checking the user was actually in the same domain as the SAML Identity Provider. I can't get over how insanely incompetent that is...


I guess the only saving grace is that they fixed it in 7 hours, but again it shouldn't have been an issues in the first place :/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: