Microsoft account-hijacking hole closed 48 hours after bug report

Token-harvesting attack meant one login could open doors to multiple Microsoft services

British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attacker's phishing quiver, save for the fact that Microsoft fixed it.

Whitton quietly reported the flaw to Microsoft which pounced and took only two days to process and patch the flaw.

The flaw meant attackers would have been able to set up phishing sites for Microsoft assets like Outlook and then capture tokens which could then be used through manipulated POST data to log into accounts.

Whittop wrote "... it’d be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."

"Despite CSRF bugs not having the same credibility as other bugs, when discovered in authentication systems their impact can be pretty large."

Users logged into Microsoft assets who attempt to login to other Redmond services are issued a token from a login Microsoft domain.

The login domain URLs are open to cross-site request forgery attacks, allowing attackers to steal the tokens.

Whitton says they would do this by crafting malicious links that look like login screens for Microsoft titles, but instead capture the resulting token.

The tokens are only sent if users are logged into a Microsoft product and only work for the asset there are issued for; Outlook's token will not work for Azure.

Whitton says attackers could have used hidden iframes to conceal requests for tokens of all stripes. ®


Biting the hand that feeds IT © 1998–2017