Dr. Bill | The Computer Curmudgeon
Join Dr. Bill as he examines the wild and wacky world of the web, computers, and all things geeky! Hot Tech Tips, Tech News, and Geek Culture are examined… with plenty of good humor as well!
This year’s big YouTube hit was, “What Does the Fox Say? by Ylvis. So… if you get a bunch of Linux folks together, they will make a parody of it, highlighting SuSE Linux’s mascot, the chameleon! So, “What Does the Chameleon Say?”
Ooopsy! Another Microsft security blunder!
Office 365 bug allows hackers to steal credentials
ZDNet – “Anyone hosting a Word document on their webserver can steal Microsoft Office 365 credentials due to a bug in how the cloud service attempts to authenticate users.
Adallom chief software architect Noam Liran discovered the bug, outlining how it works on his blog.
Office 365 requires users to log in to their account, and, when downloading a document from a SharePoint server, it verifies the credentials of the currently logged-in user by sending an authentication token.
The token should only be sent when the server is on the sharepoint.com domain. However, Liran found that by running his own server and sending back responses that would be expected of a legitimate SharePoint server, the user’s computer would send the authentication token anyway.
‘Now, my malicious web server, in possession of your private Office 365 authentication token, can simply go to your organisation’s SharePoint Online site, download all of it, modify it, or do whatever it wants, and you will never know about it. In fact, you won’t even know you got hit! It’s the perfect crime,’ he wrote.
Adallom has created a proof of concept video demonstrating how authentication tokens can be stolen.”