Microsoft Patches Yammer Security Flaw

Microsoft has reacted quickly to a security vulnerability concerning its enterprise social networking vendor Yammer.

Redmond acquired Yammer in July 2012 for $1.2 billion ($772m) and has spent the last year building out a solid road map. Aside from growing the user and features base, Microsoft has also helped tighten up Yammer’s security.

Bypass Vulnerability

This comes after a security report from researchers at Vulnerability Laboratory this week, detailed a remote authorisation bypass vulnerability in Yammer. The vulnerability potentially could have been exploited by a remote attacker without having a privileged application user account or there being any user interaction. The flaw was related to an insecure implementation of the OAuth authorisation technology Yammer uses.

“It is possible to steal other user profiles by simply requesting a leaked access token, which can be acquired from publicly accessible search engine results [Google’s Cache] and or by other possible means,” Vulnerability Laboratory warned. “During the testing, the researcher was able to acquire sensitive information [valid access_tokens] using the Google search engine, and upon further testing, it was revealed that by including the access token directly in the browser through an HTTPS request, it is possible to log on to Yammer as the affected user.”

But Microsoft reacted quickly. Vulnerability Laboratory reported the flaw to the Microsoft Security Response Center 10 July and got a response back 11 July. According to Microsoft, an automatic update for the flaw was pushed out 30 July.

No Attacks

“We have not detected any attacks, and there is no action for customers, as they are automatically protected,” a Microsoft spokesperson told eWEEK.

Microsoft is gaining respect from some observers for its security work. In addition to the Microsoft Security Response Center, Microsoft also has a robust security program in place for products. Known as the Security Development Lifecycle (SDL), the program has been emulated by other tech vendors. The SDL process bakes security practices into every step of the development and productisation process, and it is now one that Yammer benefits from as well.

“When Microsoft acquires a company, we begin a process of on-boarding that company and its products to our Security Development Lifecycle,” Microsoft’s spokesperson said.

How well do you know Internet security? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago