A bug bounty hunter from India, Sahad Nk who works forSafetyDetective, a cybersecurity firm, has received a reward from Microsoft for uncovering and reporting a series of critical vulnerabilities in Microsoft accounts.
These vulnerabilities were present on users’ Microsoft accounts from MS Office files to Outlook emails. This means, all kinds of accounts (over 400 million) and all sorts of data was susceptible to hacking. The bugs, if chained together, would become the perfect attack vector for acquiring access to a user’s Microsoft account. All the attacker required was to compel the user to click on a link.
According to Sahad Nk’s blog post, a subdomain of Microsoft namely “success.office.com,” isn’t configured properly, which is why he was able to control it using a CNAME record. It is a canonical record that connects a domain to another domain. Using CNAME record, Sahad was able to locate the misconfigured subdomain and point it to his personal Azure instance to gain control of the subdomain and all the data that it received.
However, this isn’t a big issue for Microsoft; the real problem lies in the fact that Microsoft Office, Sway, and Store apps can be easily tricked into transferring their authenticated login tokens to the domain, which is in control of the attacker now, when a user logs in via Microsoft’s Live. The reason this happens is that a wildcard regex is used by vulnerable apps. This allows all the subdomains to be trusted, explained Aviva Zacks of SafetyDetective.
As soon as the victim clicks on a specially designed link, which the victim receives via email, he or she will log in using the Microsoft Live’s login system. When the victim enters the username, password, and the 2FA code (if enabled), an account access token will be generated to let the user logged in without needing to re-enter the login credentials.
If someone gets hold of this access token, it’s akin to obtaining the authentic user credentials. Hence, an attacker can easily break into the account without alerting the original owner of the account or even alarming Microsoft about unauthorized access.
The malicious link is designed in a way that it forces the Microsoft login system to transfer the account token to the controlled subdomain. In this case, the subdomain was controlled by Sahad however, if a malicious attacker was controlling it, it was possible to put a massive number of Microsoft accounts at risk. Most importantly, the malicious link appears authentic because the user is still entering through the legitimate Microsoft login system.
The vulnerability has been fixed!
The bug was reported by Nk (who works for SafetyDetective) to Microsoft and the good news is that it has been fixed however the exact amount of bounty amount received by Nk is still unknown.