Security researchers at WithSecure have discovered a vulnerability in Microsoft Office 365 caused by a weak block cypher implementation in the encryption. The feature is used to add encryption to send and receive emails to ensure confidentially encrypts data using the Electronics Code Book mode, which can potentially leak the plaintext message under specific conditions.
The issue isn’t with Office itself; instead, it lies in the ECB mode that is used to encrypt messages. When using ECB, repetitive areas in the plaintext message can end up looking the same even after encryption, eventually creating a pattern that can be deduced further to expose the encrypted message.
WithSecure researchers did, however point out that the message contents can’t directly be decrypted. That said, structural information about the messages can, however be captured. This means that if an attacker is able to collect multiple encrypted parts of a message, they can find patterns that can eventually make parts of the message readable without requiring an encryption key.
The larger the collection of these encrypted parts, the more of a message can be decrypted. A large database of messages can help decrypt the entire email content or parts of the message or any files contained within by referring to the locations of the repeated sections.
The discovery was reported to Microsoft earlier in January this year. The company has acknowledged the issue and even paid a bug bounty but hasn’t released a fix or workaround yet.
Microsoft’s major reason for still using ECB is to support legacy programs. The company is, however, working on adding an alternative encryption protocol for future versions. Until then, WithSecure recommends not trusting or using the Office 365 encryption feature.
The issue isn’t new either. This vulnerability has been pointed out previously in Adobe’s 2013 data breach, where millions of passwords were leaked because the company used ECB mode to encrypt its data. Another popular incident involving ECB led to a data leak was with Zoom in 2020, where the program used the same 128-bit key to encrypt all audio and video using AES paired with ECB.
In the News: Chinese internet censors protest against President Xi Jinping