Last week we demonstrated a variety of ways in which an OWA session can be compromised, even though the user may have been doing their best to follow company security policies. This week's series of tests will highlight the exposures that exist with attachments in Outlook Web.
Simply follow the steps described in the following usage cases to expose potential risks associated with attachments in Outlook Web.
Test Case 2a: Attachment Security in OWA
Step 1: Send an email with an attachment to the email account you will using in this test.
Step 2: Open up a Browser.
Step 3: Log into OWA.
Step 4: Delete all files from the local browser cache using the appropriate instruction below:
- For IE: Go to Tools\Internet Options and click Delete, ensure Temporary Internet Files is selected, and click Delete;
- For Firefox: Click the Firefox menu, select Options, Advanced, click on the Network tab, in the Cached Web Content section, click Clear Now;
- For Chrome: Go to Chrome menu, select History, Clear Browsing Data, ensure Empty the cache is selected, choose Beginning of Time from the dropdown, and click Clear Browsing Data;
Step 5: In OWA, select the message you sent earlier that had an attachment and open the attachment by clicking on the document tile as shown:
*The user will be prompted to either Open or Save the document.
Step 6: Close the attachment, logoff from OWA by clicking logoff or the red X.
Step 7: Check the local browser cache:
- For IE 6,7,9,10: Go to Tools, Internet Options, click Settings under Browsing History, and View Files, Sort by type and look for the document;
- For IE8: Go to Tools, Internet Options, click Settings under Browsing History and View Files. Add \low to the end of the URL and search by *extension;
- For Firefox: Click the Firefox button, and select Downloads, and search for the document;
- For Chrome: Click the Chrome menu, and select Downloads, and search for the document.
Security Alert: The attachment is right there … in the browser cache.
Your users can be forgiven for thinking that logging out of OWA will ensure that nothing is left behind on the computer, but in fact, every time a user clicks on an attachment, that attachment will be left on the computer in the browser cache, creating a potentially significant breach of security.
Continue on to step 8 to see the actual contents of the attachment that has been mistakenly eft behind.
Step 8: Right click the document and select “copy”. Right-click on the Desktop and click “paste”.
Step 9: Double click on the new document on the Desktop to open the document.
Step 10: Repeat this test with a document attached to a Contact in the Contacts
Folder, an appointment in the Calendar and included as an attachment in an embedded email.
If you answered Yes for any of the above scenarios, your organization has a security vulnerability that potentially exposes confidential information. This includes unauthorized access to email, corporate GAL (employee & personal information), contact folders, confidential documents, etc…
Note: Some organizations will rely on Web Ready Viewing (View as a Webpage) to secure their attachments, but this solution does not provide the security you expect. We won’t be covering this topic here, so contact us if you want to learn more.
What is the impact on your organization of these exposures? Beyond the potential for monetary penalties for privacy violations in many regulated industries, security breaches can destroy brand equity and customer relationships. Data breach studies continue to show that a many data breaches are crimes of opportunity. Which means that victim organizations fell prey because had an exploitable weakness rather than because they were pre-identified for attack.
In the next blog we look at the challenges associated with Brute Force Attacks and Denial of Service.