Microsoft breathes again after potential breach

A compromised Microsoft subdomain could have ended in disaster.
11 December 2018 | 548 Shares

Even the tech giants get it wrong. Source: Shutterstock

Many large companies offer bug bounty incentives to the technically-minded, with the aim of shoring up security for their systems. Microsoft has recently paid out to an Indian bug-hunter, Sahad Nk, who uncovered the potential for a massive data breach that would have exposed potentially millions of Microsoft accounts.

Nk discovered that a subdomain, success.office.com had not been configured correctly, and he was able to set up DNS routing via CNAME records to point traffic to his personal Azure instance.

In itself that may have only opened up the possibility of a reasonably convincing return domain for a phishing campaign, for example. But Nk also found that the Microsoft Office, Store and Sway apps would send authenticated login tokens to the bogus domain after users logged in to Microsoft Live.

The apps used a wildcard regex, allowing all microsoft.com subdomains to be trusted (*.microsoft.com) with a login token.

In the delicate balancing act between ease of use and security, logging into live.com, from a link in a bogus email, for instance, would have generated a login token that was passed via a wreply URL to success.office.com. That token could then have provided unfettered access to that user’s Microsoft account without any further checks taking place.

Because the hacker would have been logging in with a token, no virtual red flags would be waved. Additionally, once the authentication token had been passed, distinguishing between malicious activity on an individual’s account would have been nigh-on impossible.

The breach, had it been left unpatched, could have compromised millions of Microsoft accounts, both Personal and Business. Details at risk were all stored files, emails and personal information – quite the haul.

The attack vector or ‘token leakage’ is the same problem that put millions of Facebook accounts at risk earlier this year, according to TechCrunch.

Two-factor or multifactor authentication methods may help this type of issue getting loose in the wild – and bug bounty programs such as Microsoft’s are also an excellent source of continuous improvement for large online presences.