In a revelation of serious consequence, an Indian security researcher and bug bounty hunter discovered that a series of vulnerabilities strung together made it possible for hackers to hijack just about any Microsoft user account – right from Outlook emails to MS Office documents.
The gateway here was Microsoft’s subdomain http://success.office.com/ -- a site now taken offline since the exposé. The researcher, Sahad NK, contracted by security reviewer SafetyDetective, pointed out that an improper configuration enables users to take over a subdomain.
The company revealed that the vulnerabilities were reported to Microsoft in June and were fixed at the end of November this year.
How the bug hunter cracked the code to fooling Microsoft’s centralized login
In his blog, Sahad revealed that during the initial recon, he retrieved the list of all possible subdomains of Office.com pointing to numerous Azure instances.
Among these was success.office.com, which had a CNAME pointing to an Azure web app service. A CNAME is a canonical name record in the DNS that can be used to alias one name to another.
Explaining the modus operandi, the researcher shared that on the Azure portal, a web app was first created. After the application was set up, a host name success.office.com was created.
This then made it possible to control the domain success.microsoft.com, and whatever data was sent to it.
Now this isn’t the only vulnerability that came to light. A second vulnerability resulted from an improper authorization check that allows all subdomains to be trusted. Microsoft’s centralized login system recognized success.office.com as a legitimate redirect URL and sent login tokens to the proxy domain.
In this manner, the hacker was able to bypass all OAuth checks and receive a valid token. If a user were to click on the compromised link, the hacker could gain control on his/her account.