A security researcher has won $13,000 bounty from Microsoft for
finding a critical flaw in its main authentication system that could
allow hackers to gain access to a user's Outlook, Azure and Office
accounts.
The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg.
However, the main and only difference between the vulnerabilities is
that: Flaw discovered by Wineberg affected Microsoft's OAuth protection
mechanism while the one discovered by Whitton affected Microsoft's main
authentication system.
Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com.
Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline.com URL that contains 'wreply' parameter for specifying which domain the user wants to access.
How Does the Vulnerability Work?
If the particular user is already logged in, a POST request is made back
to the domain specified in wreply with a value containing a login token
for the user. The service the user wants to authenticate on consumes
that token and logs the user in.
According to Whitton, the authentication URL provided by Microsoft is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
The CSRF attacks could allow an attacker to create a malicious URL,
which, when accessed by an already authenticated user, would send the
login token to the attacker controlled server.
Now, with the help of the token, the attacker could gain complete access to the victim's account.
"The token is only valid for the service that issued it – an Outlook token can not be used for Azure, for example," Whitton noted in his blog post. "But it would be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."
The good news is that Microsoft patched the vulnerability within two
days after Whitton reported it to the company on January 24. The company
also paid out $13,000 to the researcher as part of its bug bounty
program.