Even though Microsoft already fixed the vulnerability in its login system but according to security researchers this loophole could have been used by attackers to manipulate victims into giving complete access to their online accounts without them even realizing it at all.
According to the security researchers, this bug can quietly allow attackers to steal the account tokens which multiple websites and apps use to grant access to its users without the need of them to constantly re-entering the passwords on their sites. These tokens created by app or website are put in a place of username and password after the user's login and this token keeps the user continuously logged into the site but along with that also enables users to access various third-party apps and websites without directly providing their passwords.
The Israeli cybersecurity company named CyberArk found this loophole in Microsoft which if left open can be easily exploited and used to siphon off the accounts tokens used to access the account of potential victims probably without them even noticing it at all. CyberArk shared its latest research with media outlets, which explains that there are dozens of unregistered subdomains connected to multiple apps built by Microsoft. These in-house apps are trusted highly and the subdomains associated with it can be used to generate tokens to automatically access to users without the need for any explicit consent from the users at all. If the attackers can get access to the subdomains, the only thing left for the attacker to do is manipulate victims into clicking on the crafted link in email or on the website and the token can easily be stolen. According to some security researchers, this trick could be done in a few seconds and with the zero-click way which means that almost no user interaction would be required at all. An embedded web page hidden in a malicious website could also trigger the same request as a link in the malicious email to steal the tokens of a user’s account without alerting them at all.
Even though the researchers registered as many subdomains as much they could find from the apps that seem vulnerable so that no malicious misuse can happen but the security researchers also warned about more subdomains being left out. In late October, this security flaw was reported to Microsoft and the tech company fixed this issue within the following three weeks. According to Microsoft, this issue was resolved which involved applications mentioned in the report by security researchers and the customers remain protected.
Photo: Wellesenterprises via Getty Images
Read next: Windows 7 Is About To Receive Its Last Update From Microsoft. Here’s How to Switch to Windows 10 For Free
According to the security researchers, this bug can quietly allow attackers to steal the account tokens which multiple websites and apps use to grant access to its users without the need of them to constantly re-entering the passwords on their sites. These tokens created by app or website are put in a place of username and password after the user's login and this token keeps the user continuously logged into the site but along with that also enables users to access various third-party apps and websites without directly providing their passwords.
The Israeli cybersecurity company named CyberArk found this loophole in Microsoft which if left open can be easily exploited and used to siphon off the accounts tokens used to access the account of potential victims probably without them even noticing it at all. CyberArk shared its latest research with media outlets, which explains that there are dozens of unregistered subdomains connected to multiple apps built by Microsoft. These in-house apps are trusted highly and the subdomains associated with it can be used to generate tokens to automatically access to users without the need for any explicit consent from the users at all. If the attackers can get access to the subdomains, the only thing left for the attacker to do is manipulate victims into clicking on the crafted link in email or on the website and the token can easily be stolen. According to some security researchers, this trick could be done in a few seconds and with the zero-click way which means that almost no user interaction would be required at all. An embedded web page hidden in a malicious website could also trigger the same request as a link in the malicious email to steal the tokens of a user’s account without alerting them at all.
Even though the researchers registered as many subdomains as much they could find from the apps that seem vulnerable so that no malicious misuse can happen but the security researchers also warned about more subdomains being left out. In late October, this security flaw was reported to Microsoft and the tech company fixed this issue within the following three weeks. According to Microsoft, this issue was resolved which involved applications mentioned in the report by security researchers and the customers remain protected.
Bottom Line
This is definitely not the first time that Microsoft was accused of leaving some loopholes on its platforms and not the first time that Microsoft responded to the reports by fixing the bug in its login system. If you take a look at Microsoft a year back, the tech giant fixed a similar bug in which researchers reported that the records of improperly configured Microsoft subdomain could be altered and used to steal the Office account tokens.
Photo: Wellesenterprises via Getty Images
Read next: Windows 7 Is About To Receive Its Last Update From Microsoft. Here’s How to Switch to Windows 10 For Free
