Microsoft patches gaping security hole in Yammer

Authentication flaw left accounts vulerable to hostile takeover

At the end of July Microsoft plugged a gaping hole in its enterprise social networking tool, Yammer.

As reported on ZDNet, Yammer (acquired by Microsoft in late 2012) relies on the popular OAuth 2.0 authentication scheme. However, an error in Yammer's implementation of OAuth allowed a security researcher at Vulnerability Laboratory to find critical information with simple Google searches and use that information to log in as another user.

The researcher, Ateeq Khan, notified Microsoft of the hole on July 10, and the fix was applied on July 31. No further corrective action is required by Yammer users.

ZDNet's John Fontana points out that Facebook has suffered from a similar flaw in its OAuth implementation.

For more:
- read Fontana's article
- find more technical details on The Register

Related Articles:
Jared Spataro outlines what's ahead for Yammer, Sharepoint partnership
The muddled E2 enterprise social media message
The pain and promise of social business strategy

Filed Under