Earlier this year, a script offering screen reading capabilities for websites was hacked. For a while, over 4000 government websites all over the world, were loading a crypto currency miner along with the screen reading script. And while no real harm was done and the issue has been fixed eventually, it makes you wonder: what if it happened on your Office 365 tenant and the script did something far more malicious than mining coins?
Fewer issues, but really?
SharePoint offers rich APIs that developers can use for anything from retrieving your personal documents, latest projects or your colleagues to changing permissions and searching for confidential information. That’s not all. With recent additions, tenant administrators can grant scripts access to the Microsoft Graph and enterprise APIs. And it’s exactly that flexibility that puts you at risk. In hands of a skilled developer who understands SharePoint, these are all invaluable tools to get to your confidential and personnel data.
What can you do about it
Know what scripts are being used in your tenant
Rencore’s AnalysisCloud is this tool! AnalysisCloud continuously monitors your SharePoint Online tenants to discover all changes made beyond mere configuration, i.e. scripts. It then assesses these scripts and reports those that might be harmful. Click the link below and try out AnalysisCloud today!
Don’t use different script for everything
There are hundreds of thousands if not millions of scripts that developers and users can use in your tenant. The more different scripts are being used, the bigger the possible attack surface and the harder it is to evaluate all of them. Once you know what scripts are being used in your tenant, you should go through all of them and verify how widely they are being used and if there is an active community behind. The less popular a script is, the bigger the chance that a change to its contents will go unnoticed.
Know what you’re loading
eval or obfuscated code, you should be wary of using that script without a closer review. It will take some time, but are you willing to take the risk of that script stealing your confidential information?
Where are you loading your scripts from
You might trust specific hosting locations and CDNs more than others because your organization has a relationship with them or you trust their security measures. While it’s hard and tedious to do manually, there are tools that can help you ensure that all scripts in your whole SharePoint tenant are loaded from locations your organization approves. Discovering a piece of script being loaded from a different URL and changing to the preferred URL is still less work than evaluating what data has been stolen.
Use integrity hash with external scripts
Including the integrity hash can be easily done if you’re referencing scripts in HTML using the
script tag. The SharePoint Framework doesn’t support specifying the integrity hash at this point. But given the framework’s popularity, I hope we will see this capability being added soon.
What you can’t do, at least for now
Over to you
If you want to take an even deeper dive into securing your SharePoint Online, I would recommend you sign up for our upcoming webinar “Securing SharePoint Online in 47 easy steps! (Or 5 steps, you choose)” by fellow Microsoft MVP Jussi Roine where he will show you around all the areas you have to understand, secure and monitor to keep your data and organization secure using both Azure and Office 365 capabilities and some common sense. Sign up today. It’s free!