The Redmond Cloud
Security Unlocked
Cloud Security Editor's Picks

A Bug Left Your Microsoft Account Wide Open For Hijack

Houston, we had a problem! A recently discovered series of vulnerabilities left your Microsoft Account out in the open for complete takeover, with everything from Office to Outlook susceptible to hacking.

A security researcher discovered this bug, where he was able to take over a Microsoft subdomain because it was not properly configured. This allowed the bug hunter to set up an Azure web app that pointed to the CNAME record of that domain.

These are used to map domain aliases and subdomains to the main account.

By doing this, the researcher not only took control of that particular subdomain, but he was also able to receive any and all data sent to it.

In other words, whenever a user logged into a Microsoft service, the login token would be sent over to the server controlled by the researcher, giving him a valid session token that could be used for logins, bypassing phishing detection.

Apparently, these critical issues were reported to Redmond in June, and they were fixed just last month, in November.

Microsoft Office, Store and Swap apps could be tricked into sending their authenticated login tokens to this new controlled domain after a user logged in through the Microsoft Live login system.

That is to say, anyone’s Office account, even enterprise and corporate ones, could theoretically be hacked this way. A malicious hacker would be able to easily access emails, documents and other files, while it would have been nearly impossible to discern a cybercriminal from a legitimate user.

Makes one shiver, just typing it!

Microsoft Azure eBook

Related posts

Project xCloud Game Streaming Public Testing Underway

Fahad Ali

All That Is New In Power BI Desktop October Update

Fahad Ali

We Are An Open Source Company, Says Microsoft

Fahad Ali

Disney Will Make Movies With Microsoft

Fahad Ali

Novartis To Use Microsoft AI For Drug Development

Fahad Ali

BlackBerry Solutions Reach The Azure Marketplace

Fahad Ali

Leave a Comment