A security researcher has won $24,000 from Microsoft for finding a critical flaw in its Live.com authentication system that could allow hackers to gain access to a user’s complete Outlook account or other Microsoft services.
Microsoft’s Live.com is the authentication system that everyone go through while attempting to authenticate to Outlook.com and a large number of other Microsoft services, including OneDrive, Windows Phone, Skype, and Xbox LIVE.
Hacking Hotmail (Outlook.com) Account
It’s one account for all services. So, if say, Outlook wants to access other apps, it uses a standard set of authentication code called OAuth.
OAuth is an open standard for authorization that keeps your passwords safe on third-party sites and instead of sharing your password, it shares a special key called ‘Access token’ to access the app.
OAuth authorizations are accomplished through a prompt, as shown below and to allow an app to gain access to your account, you need to click ‘Yes’.
However, Synack security researcher Wesley Wineberg found an amazing hack that allowed him to bypass Microsoft’s OAuth protection mechanism using his malicious ‘proof-of-concept’ app, named ‘Evil App.’
According to the technical details posted by security researcher, attacker’s malicious app can effectively gain access to everything in victim’s account just by tricking the victim into visiting a web page, which required no other user interaction.
You can watch the video demonstration below that shows the attack in work:
What’s more concerning about this vulnerability, according to Wineberg, is that it could have been exploited and abused by malicious hackers to create a nasty email worm.
“Using this as a targeted attack definitely has a high impact, but this is also the perfect type of vulnerability to turn into a worm,” Wineberg wrote. “A worm could easily email all of a user’s contacts, with something enticing…and spread to every user who clicks the link.”
However, Microsoft patched the vulnerability in mid-September and paid out a whopping $24,000 to Wineberg as part of Microsoft’s tech titan’s bug bounty program.
Earlier this week, Cybereason security researchers discovered more issues in Microsoft’s Outlook app that affected business’ users.