mailing list archives
Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Tue, 06 Aug 2013 21:55:24 +0100
Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability
Microsoft Security Response Center (MSRC) ID: 15126
Common Vulnerability Scoring System:
Yammer, Inc. is a freemium enterprise social network service that was launched in 2008 and sold to Microsoft in 2012.
is used for private communication within organizations or between organizational members and pre-designated groups,
an example of enterprise social software. It originally launched as an enterprise microblogging service and now has
on several different operating systems and devices. Access to a Yammer network is determined by a user`s Internet
only those with appropriate email addresses may join their respective networks.
Yammer is a secure, private social network for your company. Yammer empowers employees to be more productive and
enabling them to collaborate easily, make smarter decisions faster, and self-organize into teams to take on any
It is a new way of working that naturally drives business alignment and agility, reduces cycle times, engages employees
relationships with customers and partners.
Pioneered Enterprise Social Networking when we launched in 2008 Among the fastest growing enterprise software companies
exceeding over four million users in just three years. Raised $142 million in venture funding from top tier firms Used
than 200,000+ companies worldwide
Built social from the ground up with ‘Facebook DNA’: Facebook’s Founding President, Sean Parker serves on Yammer’s
Board of Directors
Yammer and Facebook share the same first investor, Peter Thiel; backed by Social+Capital Partnership – a fund
established by former
Facebook Vice President, Chamath Palihapitiya. More than 80 percent of the Fortune 500® are using Yammer. Leading
including Ford, Nationwide, 7-Eleven, Orbitz Worldwide, Rakuten, and Telefonica O2 have adopted Yammer.
OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter,
Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites. It is an open-web
organizations to access protected resources on each other`s web sites. This is achieved by allowing users to grant a
application access to their protected content without having to provide that application with their credentials.
Unlike Open ID, which is a federated authentication protocol, OAuth, which stands for Open Authorization, is intended
authorization only and it does not attempt to address user authentication concerns. There are several excellent online
referenced at the end of this article, that provide great material about the protocol and its use.
Vendor Homepage: http://www.microsoft.com
Product Homepage: https://www.yammer.com
The Vulnerability Laboratory Research Team has discovered multiple critical Vulnerabilities in the Microsoft Yammer
2013-07-09: Researcher Notification & Coordination (Ateeq Khan)
2013-07-10: Vendor Notification (Microsoft Security Response Center)
2013-07-11: Vendor Response/Feedback (Microsoft Security Response Center)
2013-07-30: Vendor Fix/Patch (Microsoft Developer Team)
2013-08-04: Public Disclosure (Vulnerability Laboratory)
Product: Yammer - Social Network Application 2013 Q2
An auth bypass session token web vulnerability is detected in the official Microsoft Yammer Social Network
The vulnerability allows remote attackers to bypass the token protection to compromise the account auth system of the
[*] `Critical Information Disclosure` due to `Insecure Oauth 2 Implementation` resulting in `Auth Bypass.`
The Oauth 2 protocol is all about authenticating the Client (consumer key and secret) and the User to the Server, but
not the other way around.
There is no protocol support to check the authenticity of the Server during the handshakes. So essentially, through
phishing or other exploits,
user requests can be directed to a malicious Server where the User can receive malicious or misleading payloads. This
could adversely impact
the Users, but also the Client and Server in terms of their credibility and bottom-line.
It has been discovered that due to insecure implementation of OAuth on the Yammer network, it is possible to steal
other user profiles by simply
requesting a leaked access token which can be accquired from publically accessable search engine results. (Google`s
Cache) and or by other possible means.
During the testing, the researcher was able to accquire sensitive information (valid access_tokens) using Google search
engine and upon further
testing it was revealed that by including the access token directly in the browser through an HTTPS request, it is
possible to log on to Yammer as the
affected user. The session gets authenticated without entering the login/password credentials.
Using the google search engine, the researchers was able to find a particular link listed publically in the results and
requesting that link directly in the browser, the researcher was instantly logged in as the given `user` with full
the profile. We have explained all steps in the POC section for further analysis. Please note, We were able to find
atleast 2 valid
tokens using Google search engine cache results.
The variable that is revealed publically is located in the Yammer API module in the
/api/v1/messages?access_token=[Valid Token Here] parameter.
The fact that search engine bots are able to capture live user session data / sensitive URL parameters in its cache
which is publically accessable by
everyone should be noticed and fixed immediately. Also the fact that by requesting the access token directly in your
browser through HTTPS, it simply
logs you in the Yammer social network as the affected user is also alarming.
This vulnerability results in a complete compromise of the affected accounts, user profile and the associated risk is
Exploitation of the vulnerability requires no user interaction and also no registered Yammer account is required. To
capture the session
the attacker can use a random empty session as form to request.
[+] Microsoft Yammer Social Network
Proof of Concept:
The remote auth bypass vulnerability can be exploited by remote attacker without privileged application user account or
For demonstration or reproduce ...
1) Use the following Google dork to find the valid access tokens listed publically in the search engine cache results.
Google Dork: site:yammer.com inurl:'access_token'
1) Open the POC link #1 in your browser
https://www.yammer.com/api/v1/messages?access_token=NPLpzPsWdtCeXaKxBGA (You will be directly authenticated as the
affected user upon requesting this link)
2) Open another browser tab and visit the Yammer social network website (https://www.yammer.com)
3) You will now be redirected to the user profile with full access and priviledges hence proving the existence of this
PoC Link #2
Note: you can use any of the Two given links mentioned above to reproduce this POC.
Other sensitive links captured from search engine cache:
--- PoC Request & Response Session Logs ---
HTTP GET Request
GET /api/v1/messages?access_token=cQ5AwEgUocADLNQPUncVuQ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0
Accept-Encoding: gzip, deflate
Cookie: _workfeed_session_id=dd9fa728ce6dc861df3cba09e46dc800; yamtrak_id=fc24240f-5d58-40e9-a647-e1bed7232e5b;
km_ai=YKAMlAV8CfR7RVANZHFvRaE6psA%3D; km_uq=; km_lv=x;
%3A20130707%3A2%7CQF74DUYCSFC4HP47P56MLN%3A20130707%3A1; __utmb=2537729188.8.131.523316169; km_vs=1;
HTTP/1.1 200 OK
Date: Mon, 08 Jul 2013 20:51:37 GMT
Content-Type: application/xml; charset=utf-8
Status: 200 OK
Access-Control-Allow-Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY,
UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL,
ACL, SEARCH, PATCH
Cache-Control: max-age=0, private, must-revalidate
Access-Control-Allow-Headers: Content-Type, X-Requested-With, NETWORK_ID, Authorization, X-CSRF-Token
X-XSS-Protection: 1; mode=block
<?xml version="1.0" encoding="UTF-8"?>
<feed-desc>jungletorch.com's public messages</feed-desc>
TLS/SSL is the recommended approach to prevent any eavesdropping during the data exchange. Search Engine bots crawling
should be restricted
from capturing sensitive URL parameters from user sessions. Also user notifications should be enabled if an
authentication request is being
performed through the HTTPS protocol. Furthermore, Resource Providers can limit the likelihood of a replay attack from
a tampered request by
implementing protocol`s Nonce and Timestamp attributes. The value of oauth_nonce attribute is a randomly generated
number to sign the Client
request, and the oauth_timestamp defines the retention timeframe of the Nonce.
Insecure Storage of Secrets:
Protecting the integrity of the Client Credentials and Token Credentials works fairly well when it comes to storing
them on servers. The secrets
can be isolated and stored in a database or file-system with proper access control, file permission, physical security,
and even database or
disk encryption. For securing Client Credentials on mobile application clients, follow security best practices for
storing sensitive, non-stale
data such as application passwords and secrets.
The security risk of this insecure Oauth implementation vulnerability is estimated as critical.
Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq () evolution-sec com)
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all
either expressed or implied, including the warranties of merchantability and capability for a particular purpose.
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com -
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php -
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code,
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record,
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
VULNERABILITY LABORATORY RESEARCH TEAM
CONTACT: research () vulnerability-lab com
- Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability Vulnerability Lab (Aug 07)