A serious security vulnerability existed in the Microsoft login system. Researchers who found this flaw suspected that exploiting the flaw could lead to account hijacking.
Microsoft Login System Vulnerability
Reportedly, researchers from Israeli security firm CyberArk have discovered a serious vulnerability in the Microsoft login system. Exploiting the vulnerability could allow account takeovers by potential attackers.
Mentioning in detail about this discovery, TechCrunch reported that the bug affected the apps integrated with Microsoft accounts.
The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords.
A potential attacker could exploit the unregistered subdomains of these apps to create access tokens without users’ consent.
With the subdomains in hand, all an attacker would need is trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen.
However, in some cases, the attacker would require no user interaction at all, as a website with a malicious image could serve the purpose.
Fix Already Deployed
The researchers, after finding the vulnerability, worked to register many of the subdomains associated with vulnerable Microsoft applications. Nonetheless, they feared that there could be more of such subdomains.
They informed Microsoft of the flaw in October 2019. The tech giant has consequently confirmed deployment of a patch for it with November updates.
According to a Microsoft spokesperson’s statement to TechCrunch,
We resolved the issue with the applications mentioned in this report in November and customers remain protected.
Recently, Microsoft has also addressed a spoofing vulnerability in Microsoft Outlook for Android. Exploiting the bug could allow an attacker to conduct cross-site scripting attacks in the context of the current user.
Take your time to comment on this news.
Latest posts by Abeerah Hashim (see all)
- Heroku PaaS Service Found Hosting Numerous Magecart Skimmers - December 6, 2019
- Google Patched Multiple Critical Vulnerabilities In Android With December Update - December 6, 2019
- US Data Center Provider CyrusOne Suffered Ransomware Attack - December 5, 2019