Technology
A bug left your Microsoft account wide open to complete takeover
/https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F902674%2F7172b294-487c-4e22-8303-0e49c561f219.jpg)
Image: Miguel Candela/SOPA Images/LightRocket via Getty Images
2018-12-11 15:38:02 UTCBug bounty hunter Sahad Nk recently uncovered a series of vulnerabilities that left Microsoft users’ accounts — from your Office documents to your Outlook emails — susceptible to hacking.
While working as a security researcher with cybersecurity site , Nk discovered that he was able to take over the Microsoft subdomain, , because it wasn’t properly configured. This allowed the bug hunter to set up an Azure web app that pointed to the domain’s CNAME record, which maps domain aliases and subdomains to the main domain. By doing this, Nk not only takes control of the subdomain, but also receives any and all data sent to it.
This is where the second major vulnerability comes into play.
Microsoft Office, Outlook, Store, and Sway apps send authenticated login tokens to the subdomain. When a user logs in to Microsoft Live, login.live.com, the login token would leak over to the server controlled by Nk. He would then just have to send over an email to the user asking them to click a link, which would provide Nk with a valid session token — a way to log in to the user’s account without even needing their username or password. And, because Nk has access on Microsoft’s side, that link would come in the form of a login.live.com URL, bypassing phishing detection and even the savviest of internet users.
According to , the issues were reported to Microsoft in June. They were fixed just last month, in November.
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!0;n.version=’2.0′;n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
document,’script’,’https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘1453039084979896’);
if (window._geo == ‘GB’) {
fbq(‘init’, ‘322220058389212’);
}
if (window.mashKit) {
mashKit.gdpr.trackerFactory(function() {
fbq(‘track’, “PageView”);
}).render();
}
The greatest Apple deals ahead of Black Friday sourced from an Apple deals expert
I tried to make Samsung’s Sketch to Image AI tool show me boobs
Acer Chromebook Plus Spin 714 review
How to identify AI-generated videos
25 greatest sci-fi films on Hulu that you can watch right now
Menendez brothers case reignites online: The questions that keep resurfacing
‘A Real Pain’ review: Jesse Eisenberg and Kieran Culkin charm as odd-couple cousins
Halloween 2024: Weekend debates, obscure memes, and a legacy of racism
Is ‘The Substance’ streaming? How to watch at home
M4 MacBook Pro vs. M3 MacBook Pro: What are the differences?
The 3 greatest October Prime Day robot vacuum deals — according to an expert
New to streaming, ranked (October 11, 2024)
‘Blitz’ review: Steve McQueen’s World War II epic dazzles but ultimately disappoints
Huge NASA spacecraft is flying to a perilous part of the solar system
Elon Musk’s Community Notes: What to know about X users fact-checking him
October Prime Day: Shop the greatest deals from Amazon, Apple, Garmin, LG, and more
Prime Day vs. Black Friday: Which sales are better?
How to watch ‘Beetlejuice Beetlejuice’ at home: Release date, streaming deals, and more
Who is Natalie Nunn? The star behind viral ‘Baddies, pose for me’ TikTok song
Amazon Prime Day: Shop the 300+ of the greatest deals from Amazon, Apple, Garmin, LG, and more
The greatest Apple deals ahead of Black Friday sourced from an Apple deals expert
I tried to make Samsung’s Sketch to Image AI tool show me boobs
Acer Chromebook Plus Spin 714 review
How to identify AI-generated videos
25 greatest sci-fi films on Hulu that you can watch right now
Menendez brothers case reignites online: The questions that keep resurfacing
‘A Real Pain’ review: Jesse Eisenberg and Kieran Culkin charm as odd-couple cousins
Halloween 2024: Weekend debates, obscure memes, and a legacy of racism
Is ‘The Substance’ streaming? How to watch at home
M4 MacBook Pro vs. M3 MacBook Pro: What are the differences?
-
Entertainment6 days agoWhen will we have 2024 election results online?
-
Entertainment5 days agoHalloween 2024: Weekend debates, obscure memes, and a legacy of racism
-
Entertainment7 days agoSocial media drives toxic fandom. Is there a solution?
-
Entertainment5 days agoIs ‘The Substance’ streaming? How to watch at home
-
Entertainment5 days agoM4 MacBook Pro vs. M3 MacBook Pro: What are the differences?
-
Entertainment4 days agoMenendez brothers case reignites online: The questions that keep resurfacing
-
Entertainment4 days ago‘A Real Pain’ review: Jesse Eisenberg and Kieran Culkin charm as odd-couple cousins
-
Entertainment4 days ago25 greatest sci-fi films on Hulu that you can watch right now
