The vulnerability allowed users to create administrative accounts and take over a business' Office 365 implementation.
Microsoft has closed up a cross-site scripting (XSS) vulnerability in its Office 365 offering, allowing the security researcher who discovered it to explain how it was done.
Cogmotive co-founder Alan Byrne details how the vulnerability can be exploited on his company's blog, as well as in a YouTube video demonstration.
"This is a perfect example of a very simple exploit which has a huge possibility to cause billions of dollars' worth of damage. As we move further and further into the cloud, we need to be more and more aware of the potential security risks," he wrote.
The vulnerability stems from Microsoft's failure to sanitise input fields. Under the default implementation of Office 365, users are able to change their names. As the contents of this field are not checked, users can enter HTML code.
Read more at: Microsoft closes Office 365 admin access vulnerability | ZDNet