A massive bug reported by Sahad Nk could have allowed hackers to take over Microsoft Outlook, Microsoft Store, or Microsoft Sway account just by asking users to click on the desired link.
Upon a little inspection, the India-based bug hunter discovered that a Microsoft subdomain, “success.office.com,” was pointing towards Azure service with its CNAME record.
Naturally, Sahad used a CNAME record in the Microsoft Azure Web service to link the Office domain to an unconfigured subdomain. Now, success.office.com and the data that was sent to it was in control of Sahad.
However, this wasn’t much of problem until Sahad used another Microsoft vulnerability which tricked Microsoft apps like Store, Sway, and Outlook into sending inputted login credentials to his newly created domain.
The vulnerability was wildcard regex which asked these few Microsoft apps to trust the subdomain created by Sahad.
How this chain of vulnerabilities would have worked into hacking millions of Microsoft accounts? Simply, hackers would have created a link that opens up Microsoft Login page upon clicking and sent it to users via different channels.
Once a user would log in through that link and create an access token (asking the browser to “Remember me”), the token would immediately be passed on to the created subdomain, making the Microsoft account vulnerable to misuse.
The biggest problem was the link looked very legitimate to discern any wrongdoing, even for the Microsoft servers. Not to mention, it was just any other Microsoft login page. So, the breach would have been dangerous for Microsoft users.
In short, anyone’s Office account, be it enterprise or corporate accounts which include their email, documents, and other files, could have been easily accessed by a malicious attacker.
The worst part is that it could have been nearly impossible to distinguish the hackers from a legitimate user. Thankfully, the bug was reported by Sahad with the help of Paulos Yibelo, and Microsoft fixed the vulnerability.