Skip to content
FOSSBYTES TECH SIMPLIFIED LOGO
Search
  • News
  • Xplained
  • Geek
  • Gaming
  • Streaming
  • Reviews
  • How To
  • Top X
  • Jobs
Menu
  • News
  • Xplained
  • Geek
  • Gaming
  • Streaming
  • Reviews
  • How To
  • Top X
  • Jobs
Facebook Twitter Instagram
Menu
  • News
  • Xplained
  • Geek
  • Gaming
  • Streaming
  • Reviews
  • How To
  • Top X
  • Jobs
FOSSBYTES TECH SIMPLIFIED LOGO
Search
Close
Join Us On Telegram
  • News, Tech

Microsoft Account Bug Left It Wide Open To Be Hijacked By Anyone

  • Charanjeet Singh Charanjeet Singh
  • December 12, 2018
Tweet
Share
WhatsApp
Microsoft Office
Image: Shutterstock

A massive bug reported by Sahad Nk could have allowed hackers to take over Microsoft Outlook, Microsoft Store, or Microsoft Sway account just by asking users to click on the desired link.

Upon a little inspection, the India-based bug hunter discovered that a Microsoft subdomain, “success.office.com,” was pointing towards Azure service with its CNAME record.

Naturally, Sahad used a CNAME record in the Microsoft Azure Web service to link the Office domain to an unconfigured subdomain. Now, success.office.com and the data that was sent to it was in control of Sahad.

However, this wasn’t much of problem until Sahad used another Microsoft vulnerability which tricked Microsoft apps like Store, Sway, and Outlook into sending inputted login credentials to his newly created domain.

The vulnerability was wildcard regex which asked these few Microsoft apps to trust the subdomain created by Sahad.

How this chain of vulnerabilities would have worked into hacking millions of Microsoft accounts? Simply, hackers would have created a link that opens up Microsoft Login page upon clicking and sent it to users via different channels.

Once a user would log in through that link and create an access token (asking the browser to “Remember me”), the token would immediately be passed on to the created subdomain, making the Microsoft account vulnerable to misuse.

The biggest problem was the link looked very legitimate to discern any wrongdoing, even for the Microsoft servers. Not to mention, it was just any other Microsoft login page. So, the breach would have been dangerous for Microsoft users.

In short, anyone’s Office account, be it enterprise or corporate accounts which include their email, documents, and other files, could have been easily accessed by a malicious attacker.

The worst part is that it could have been nearly impossible to distinguish the hackers from a legitimate user. Thankfully, the bug was reported by Sahad with the help of Paulos Yibelo, and Microsoft fixed the vulnerability.

Also Read: Firefox 64 Released With Multi-Tab Management & Smart Suggestions
Charanjeet Singh

Charanjeet Singh

Charanjeet owns an iPhone but his love for Android customization lives on. If you ever ask him to choose between an iPhone, Pixel or Xiaomi; better if you don't.
More From Fossbytes

Latest On Fossbytes

how to play resident evil 4 remake in vr

How to Play Resident Evil 4 Remake In VR?

Replay the iconic zombie horror game like never before.

How To Manage Sling TV Parental Controls?

How To Manage Sling TV Parental Controls?

A perfect gift for your family.

how to use chatgpt 4

How To Use ChatGPT 4 For Free?

OpenAI’s latest GPT-4 model!

4 Reasons Why AI Is A Great Career Choice For 2023

Great Reasons You Should Get A Job In Artificial Intelligence

AI – A game changer!

What Time Will Succession Season 4 Air On HBO Max? Can You Watch It For Free?

What Time Will Succession Season 4 Air On HBO Max? Can You Watch It For Free?

Name a more dysfunctional family than the Roys from HBO’s Succession. It’s difficult to compare Waystar RoyCO’s mogul Logan Roy

When & Where To Watch Yellowjackets Season 2?

When & Where To Watch Yellowjackets Season 2?

Buzz, Buzz! We already have a season 3.

Find your dream job

tech jobs board by fossbytes banner
  • About Us
  • Privacy Policy
  • Cookie Policy

Fossbytes

Facebook Twitter Instagram
  • Contact Us
  • Work With Us

find your dream job today

FOSSBYTES JOBS

Fossbytes Media Pvt Ltd © 2022

FOSSBYTES
Facebook Twitter Instagram

FIND YOUR DREAM JOB TODAY

FOSSBYTES JOBS
  • About Us
  • Privacy Policy
  • Cookie Policy
  • Contact Us
  • Work With Us

Fossbytes Media Pvt Ltd © 2022

pixel