Security Issue – Yammer Account Details Unauthorized Change

Hi, Andrzej (KAZM) here.

During testing Yammer with DSync I have found a security issue letting anyone to change anyone’s other Yammer Account Details in an unauthorized way, knowing only user’s e-mail. In few words: you could change anyone’s details of Yammer account, including Name and GivenName, in an unauthorized way.

NOTE: Issue has already been fixed/patched and below I am demonstrating Proof of Concept of the way someone could exploit this security gap.

Products that were affected: Yammer Enterprise DSync.

Problem description

The scenario begins when I create a user in Active Directory with Name=New_Name, GivenName=New_GN and Description=My_new_description, Work phone=123456 and (IMPORTANT) with E-mail attribute of an email of the real user (that already has and uses a Yammer account). This email can be in any domain (eg. @predica.pl, @microsoft.com). Let’s say I use my Predica’s email: akazmierczak [at] predica.pl.

During Dsync synchronization, details such as Name, GivenName, Description, Work number for that real user (my account) are OVERWRITTEN in Yammer to reflect details provided in account create in Active Directory. Must mention here that I AM NOT an administrator of predica.pl Yammer Network and I do not need to know user’s password.

After synchronization is complete, user akazmierczak [at] predica.pl receives welcome email with message to join adatum.com.pl Yammer Network, but his Yammer account details are already changed to match Active Directory users details. So instead of “Andrzej Kaźmierczak” account one can see “New_Name New_GN” on all my Yammer networks! Moreover, details of my account will include things configured in Active Directory (My_new_description and with Work Phone as “123456”).

It also means that users account and all his history of posts, comments, likes, etc. will suddenly be seen on all users’ Yammer networks as “New_Name New_GN”.

Environment details

Office365

  • Yammer Enterprise is enabled in Office365 tenant
  • Domains
    • yammerlab.onmicrosoft.com
    • Adatum.com.pl (domain added and verified)
  • Accounts
    • Yammer_service@adatum.com.pl is a global admin in O365 and also a Verified admin in Yammer. This account is also used by DSync

Domain Controller VM

  • OS: Windows Server 2012 R2
  • FFL, DDL: Windows 2008 R2

YammerSync VM

  • OS: Windows Server 2008 R2
  • Dsync Configuration
    • version: Yammer.DirSync_v3-0-8
    • Yammer Settings
      • Logged in as yammer_service@adatum.com.pl account in adatum.com.pl domain
    • Directory Settings
      • Only 1 Directory Connection to DC
      • Using dedicated yammerservice service account created in Active Directory
    • globalsettings.config.json File Settings
      • Queries Section left unchanged with attribute (“Filter”: “mail=*”, )
      • DirectoryAttributeMap Section left unchanged with default mapping settings
      • SyncSettings Section left unchanged with attributes (EnableAdds, EnableUpdates, EnableSuspends) set to “true”
      • AttributePreferences Section changed, so that all attributes (Prefer*) are set to “true”
      • Other settings left default/unchanged

All servers are patched up until 01.03.2014

Video with PoC

The issue has been reported to Microsoft:

  • 02.03.2014 Ticket #114030211227295 (Microsoft USA support)
  • 02.03.2014 Microsoft performed a call with me with long discussion explaining the problem and steps to reproduce. Advised to send some screenshots, video or links, so Microsoft can further investigation on the issue
  • 03.03.2014 The same video as above was uploaded to Microsoft DTM and informed Microsoft Support
  • 23.04.2014 Microsoft informed me that issue was fixed
  • 24.04.2014 Tried to reproduce bug but it is fixed now:

YammerDirSync