The anatomy of an Office 365 Vulnerability. How a flaw was detected and fixed


The potential dangers that lurk in massive multi-tenant infrastructures were illustrated by a weakness in an Office 365 API discovered in early July 2016 by researchers at Cogmotive, an ISV specializing in reporting and analysis of Office 365. After Cogmotive reported the vulnerability to Microsoft, it was quickly fixed and Cogmotive was thanked through Microsoft’s Online Services Bug Bounty program. All’s well that ends well.

2 Replies
Meh, that even isn't the first vulnerability related to OAuth they've had, one would think they've learned something from the previous ones. Eh, programmers...
True. But that wasn't the point of the article. I think the more interesting aspects are the fact that an Online services bug bounty program exists and the way that the MSRC coordinates reports of vulnerabilities to make sure that they are addressed ASAP.