A security researcher at Safetydetective.com, Sahad NK, discovered critical multiple vulnerabilities, which, when chained together, allow hackers to take control of over 400 million Microsoft Store, Microsoft Outlook, or Microsoft Sway accounts. As per the company’s blog, there were two major flaws, the first one allowed them to take over a defunct subdomain “success.office.com,” which was affiliated to a Microsoft Azure Web App service that is no longer available. The researchers took over this sub-domain by registering an Azure web-app with the name “successcenter-msprod. (CNAME).” This enabled them to control the domain success.microsoft.com and any data being sent to it.
The second vulnerability was related to improper authentication access to Microsoft Outlook, Store, and Sway. These three services are said to allow the aforementioned domain as a valid “wreply” URL, which enabled the researches to get access to tokens that could be exchanged for a session token and log in as the user (whose token was captured) without requiring any credentials. The company says that these security vulnerabilities were quite serious since an attacker could gain access to emails of the victim even if an antivirus was installed.
Sahad and his team immediately contacted Microsoft after finding these vulnerabilities via their responsible disclosure program and started working with them for resolving them. SafetyDetective says that it reported these flaws to Microsoft in June and they were fixed by the end of November 2018. “While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store.” SafetyDetective wrote in a blog post.
Bug bounty programs are a great way for companies to find vulnerabilities in their system that might go undetected. Almost all major software companies like Facebook, Microsoft, Google and others make use of such programs to incentivise people to find flaws in their services and get rewarded in the process. Previously, a security researcher, on Twitter, discovered a new zero-day vulnerability in Microsoft Windows, which was capable of letting an exploit delete system files. The vulnerability was stated to affect all recent version of Windows 10, which, at the time included the most recent October 2018 Update. You can read more about it here.