Hello, welcome to the Thursday, November 3, 2016 edition of the Sandton and Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

John Strand's team at Black Hell Infosec came across an interesting problem with Outlook Web Access.

If you do have the Exchange Web Service enabled, which

a lot of these sites do have in order, for example, to connect with various mobile apps

to your Outlook email. The problem here is that even if you do set up two-factor authentication

for Outlook Web access, the Exchange

Web Service is still accessible via just the normal credentials. And of course, then you have

full access to the email just like you would have had if you had the two-factor authentication. So really,

the two-factor authentication doesn't really, the two-factor authentication

doesn't provide much of a meaningful deterrence for an attacker to steal your email or even change

some settings. The attacker will have full access to everything that Outlook Web Access can do

for this particular user.

Now this was reported to Microsoft but no meaningful reply was received by Microsoft.

Of course, this is a hard problem to fix.

Now, what you typically see here as a fix is that instead of just using a username and

password to log in via a web service, you do use something like OAuth or some kind of

long random token. So at least that secret is a little bit better protected than a normal

password that you would use for a human login.

The big problem here is, and this is not just a problem with this particular Outlook Web Access,

set up that two-factor authentication doesn't really work well for these web services, where we do

want applications to continuously pull, for example, for a new email. What better

...