This is my blog regarding to impersonating and publishing a comment on behalf of any Microsoft Word and PowerPoint users. Interestingly, Excel and Visio are secure, they handle the comments in a different way (secure way).
I report the vulnerability to Microsoft but it is classified as ‘by-design’. Personally, I strongly believe this is a vulnerability with huge risks.
What an attacker can do with it?
- Create a comment on a document behalf of any Microsoft 365 users — without their awareness
- Adding users as an author on a document without their involvement
Attackers can use the above security loopholes for successful phishing campaigns and tampering with the integrity of a document.
A comment has 3 components:
1. An author (a person who initiates the conversation - usually the logged-in user or a person with the document shared)
2. A message/body of the comment
3. The document - the main body which the comment attached on it
This is an example of Microsoft Word. Here is a scenario where a user abel@msobb*.onmicrosoft.com will impersonate and comment on behalf of another user in the same tenant. It should be noted that it also works cross-tenant.
Document Name: September
Author: Abel John
Comment Body: PoC Document
The above user Abel is comment on a document — ‘September.docx’:
Let’s see the API call:
These are important parameters the name of the author and the string which starts with ‘S::abel@msobb….onmicrosoft.com::3b64……27a’
S::<author_email>::Object ID of the user
From the above section, I hope it is clear how the API calls responsible for commenting on a Word document work. Now, let’s see how an attacker can tamper to add a comment on behalf of any user within a tenant. In order to, achieve this we need the victim’s email address, first & last name, and object ID.
Note — we can find this information easily from Microsoft Team external user search feature.
Here is an example, of how Abel John (attacker) can impersonate and comment on behalf of Chris Brown (victim).
Replace the display name from ‘Abel John’ with ‘Chris Brown (CFO)’, email address, and Object ID.
"Chris Brown (CFO)",
"Chris Brown (CFO)",
S::<victim_email>::Object ID of the victim
After replacing with the victim’s detail and refresh the page, I am able to successfully comment behalf of the victim user.
[Optional Step ] Adding another comment
Repeat the above process and replace the victim email on the membership parameter
The result from UI perspective:
You can see the details of the document on OneNote, in the ‘Activities’ section ‘Chris Brown’ is commenting on the document. His details are used to comment on the document without his involvement.
More importantly, ‘Chris Brown’ is now the author of the document without his awareness as it is seen in the version history.
A user abel@msobb???.onmicrosoft.com (display name labeled Author #2 — Abel John), creates a document (labeled — Document Name #1) and added a new comment (labeled — Message Body #3).
Anyone can edit the comment if this document is shared with edit right. However, this document is not shared with anyone.
Closer look of the API call & interesting parameters:
Now let’s impersonate and comment behalf of other users. In order to, exploit this vulnerability we need email address (UPN), display name and object ID. All this information can be found using Microsoft Teams external search feature.
For this example, I will use Microsoft Security Response Center email address and object ID.
Note — you can impersonate any user within or outside of your tenant.
"Microsoft Security Response Center",(Display name we want to impersonate)
"S::firstname.lastname@example.org::2XXXXX-XXXX-XXXXX-bd12-10XXXXXXXXX",(S::UPN::Object ID of the user we want to impersonate)
Replace the above parameters
Display Name from Abel John -to- Microsoft Security Response Center
S::email@example.com::ObjectID -to- S::firstname.lastname@example.org::ObjectID
We successfully impersonate and comment behalf of Microsoft Security Response Center user:
Microsoft believes this issue is by design and refers to this online resource. It says ‘anyone with edit access to your file can edit your comment’ but in my PoC the victim is not involved at all.
Note: Keep in mind that it's possible for others to edit your comments. Comments in an Office document are stored in the file, so anyone with edit access to your file can edit your comment.
Aug 05–2022 — Reported and received Case ID
Aug 10–2022 — Microsoft Classify the issue as ‘by design’
Aug 10–2022 — Explain and send more PoC
Aug 12–2022 — Microsoft decide ‘by design’
Aug 12–2022 — Draft sent for public disclosure
Sep 13- 2022- Microsoft Approved Publication