Microsoft Pays $24,000 to Hacker


A security researcher has won $24,000 from Microsoft for finding a critical flaw in its Live.com authentication system that could allow hackers to gain access to a user’s complete Outlook account or other Microsoft services.
Microsoft’s Live.com is the authentication system that everyone go through while attempting to authenticate to Outlook.com and a large number of other Microsoft services, including OneDrive, Windows Phone, Skype, and Xbox LIVE.

Hacking Hotmail (Outlook.com) Account

It’s one account for all services. So, if say, Outlook wants to access other apps, it uses a standard set of authentication code called OAuth.
OAuth is an open standard for authorization that keeps your passwords safe on third-party sites and instead of sharing your password, it shares a special key called ‘Access token’ to access the app.
OAuth authorizations are accomplished through a prompt, as shown below and to allow an app to gain access to your account, you need to click ‘Yes’.
hacking-microsoft-account
However, Synack security researcher Wesley Wineberg found an amazing hack that allowed him to bypass Microsoft’s OAuth protection mechanism using his malicious ‘proof-of-concept’ app, named ‘Evil App.’
According to the technical details posted by security researcher, attacker’s malicious app can effectively gain access to everything in victim’s account just by tricking the victim into visiting a web page, which required no other user interaction.

Exploit Demonstration

You can watch the video demonstration below that shows the attack in work:
Microsoft Pays $24,000 Bounty to Hacker for Finding 'Account Hacking' Technique
What’s more concerning about this vulnerability, according to Wineberg, is that it could have been exploited and abused by malicious hackers to create a nasty email worm.

“Using this as a targeted attack definitely has a high impact, but this is also the perfect type of vulnerability to turn into a worm,” Wineberg wrote. “A worm could easily email all of a user’s contacts, with something enticing…and spread to every user who clicks the link.”

However, Microsoft patched the vulnerability in mid-September and paid out a whopping $24,000 to Wineberg as part of Microsoft’s tech titan’s bug bounty program.
Earlier this week, Cybereason security researchers discovered more issues in Microsoft’s Outlook app that affected business’ users.

What's Your Reaction?

Angry Angry
0
Angry
Fail Fail
0
Fail
Geeky Geeky
0
Geeky
Lol Lol
0
Lol
Love Love
0
Love
OMG OMG
0
OMG
Scary Scary
0
Scary
Win Win
0
Win
WTF WTF
0
WTF

Comments 0

log in

Captcha!

reset password

Back to
log in
Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Open List
Open List
Ranked List
Ranked List
Meme
Upload your own images to make custom memes
Video
Youtube, Vimeo or Vine Embeds
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF