According to web application security specialists, a recently patched vulnerability in Microsoft login system could have been exploited to trick some users into granting hackers full access to their online accounts.
Thanks to the presence of this vulnerability, threat actors were able to inadvertently extract access tokens, so they could access victims’ accounts without having to re-enter a password. These tokens are created by applications or websites and are used instead of usernames and passwords after users have first authenticated, allowing a permanent connection to the website and access to third-party web applications without having hand over their passwords there too.
The web application security experts in charge of the report mention that Microsoft left a security loophole that, if exploited could be used by hackers to redirect these access tokens without the victims being able to notice this malicious activity.
Experts reported dozens of unregistered subdomains connected to some Microsoft-developed applications, which are highly reliable and whose associated subdomains can generate access tokens automatically and without users’ consent. Having these subdomains, a threat actor only requires tricking the user into clicking on a specially created link, attached to an email or within a website, to extract the access token.
Most worryingly, web application security specialists say this could be achieved with minimal users’ interaction, as a malicious website could inadvertently trigger a request equivalent to a click on a link, achieving the theft of the user’s token in the same way.
The good news is that unregistered subdomains have already been reported to Microsoft, which will prevent their malicious use. However, experts note that more of these subdomains could still be found. The report was issued in October and the company fixed the fault about twenty days later.
Some security flaws had already been found in the Microsoft login system. Last year, web application security specialists at the International Institute of Cyber Security (IICS) reported that the company fixed a security flaw that allowed hackers to alter the records of a Microsoft subdomain to extract access tokens.