Skip to content
Naked Security Naked Security

Office 365 exposed some internal search results to other companies

It’s not clear how many accounts were involved, but Microsoft is said to have made URLs and metadata available so admins can investigate.

As the well-worn internet saying goes – there is no cloud, it’s just someone else’s computer.
It opens our coverage of the news last February that some Google Photos data had been inadvertently made accessible to the wrong users.
Now Microsoft has suffered its own smaller version of the same phenomenon on the Office 365 platform (or Microsoft 365 as its business versions are now called).
The Register reported that an admin was told that their company’s internal search results had been made visible when queries were run by users from another company.
The glitch was temporary, and any files displayed were not accessible:

At no time were the files that were displayed accessible to the user who received the incorrect search results.

It’s not clear how many accounts were caught up in the incident but Microsoft is said to have made available the URL paths and metadata associated with the results so admins could “identify the exact search query results data which were inadvertently viewed.”
Microsoft acknowledged the problem, describing it as “resolved.”

In fact, the cloud is more like everyone’s computer. Underlying much cloud storage is that data can use shared physical storage with logical separation between them maintained by software.
In this incident, the problem is more likely to be connected to a misconfiguration or bug in the applications keeping tabs on where everything is – the application searched for something in Azure Active Directory (AD) but misunderstood the permissions connected to what it had found.
The incident reminds us that as the walls that segment the cloud into separate units are only as solid as the code they’re written in. Separation in the cloud is not infallible.
More broadly, is Microsoft 365 security as watertight as it could be? The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently drew attention to the security of Microsoft 365. But its concern was hasty deployments, resulting from the sudden need for lots of people to work from home, rather than because of any underlying weakness in the platform:

CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.

Office 365’s search issue is minor but disconcerting. It’s a paradoxical aspect of any well-oiled machine that the user only notices how well-oiled it is on the odd occasion the wheels come off.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!