Multiple bugs left Microsoft accounts vulnerable to attacks: Details here
A series of bugs left millions of Microsoft accounts - Office, Outlook, Onedrive, etc - vulnerable to attacks. They stemmed from a Microsoft-owned subdomain and were capable of handing login access tokens to a malicious attacker - giving him direct access to accounts, TechCrunch reported. However, thankfully, Microsoft was able to patch the vulnerabilities before anyone could exploit them. Here are the finer details.
How login tokens could have gone to an attacker?
Login tokens prevent users from logging into their accounts time and again, but they can also be exploited to breach into accounts. In this case, these 'access tokens' could have been leaked out via Microsoft's subdomain - success.office.com. It wasn't properly protected and could have easily been rigged to create a seemingly legit link and provide account access to an attacker.
How the bug was uncovered?
Back in June, India-based security researcher Sahad Nk found that success.office.com wasn't properly configured. He was able to gain control of the subdomain by using a CNAME record to link his own Azure web app. This not just allowed him to take over Microsoft's domain, but also provided him access to all data sent to it.
This bug, combined with another, posed the threat
After gaining control of the Microsoft-owned subdomain, Sahad came to know about another vulnerability. He found that Microsoft owned services - Sway, Store, Outlook, and possibly others - treated the hijacked subdomain as a trusted one and leaked out access tokens via Microsoft's centralized login system. This was probably due to the presence of wildcard 'office.com' in the domain in question, the researcher posited.
This opened the gates for an attack
The discovery enabled the researcher to show how an attacker could create a specialized URL (using the hijacked subdomain) and trick an unsuspecting user into providing their account's access token. The link would redirect the target to Microsoft's official login system, but once they complete the login, the system would leak the access token to the hijacked domain or to the attacker's server.
Thankfully, the issue has been fixed now
The vulnerabilities could have posed a major threat to the security of millions of Microsoft accounts and the data they carry. However, Microsoft, which was made aware of the issue in June, was able to patch it last month, a company spokesperson confirmed to TechCrunch. They noted the company had severed the link, which allowed Sahad to take control of the subdomain.
