
Cross Domain Authentication Bypass in Office 365 - jc_811
http://www.economyofmechanism.com/office365-authbypass.html
======
chayesfss
Out of all the service providers I've worked with, microsoft's been the worst.
Few years ago I was amazed that I could literally brute force an o365 admin
account via powershell and it would never lock the account and of course there
was no way to enable 2fa for the account...

------
zaroth
This is impressively bad. Literally Office365 let you simply claim to be
anyone you wanted to via SAML. They didn't bother checking the user was
actually in the same domain as the SAML Identity Provider. I can't get over
how insanely incompetent that is...

~~~
jc_811
I guess the only saving grace is that they fixed it in 7 hours, but again it
shouldn't have been an issues in the first place :/

