The Tech Portal
  • Apps
  • Business
  • China
  • Consumer Tech
  • Culture
  • Enterprise
  • Futurism
  • Gadgets
  • Global
  • Internet
  • Startups
  • Hindi (हिन्दी)
The Tech Portal
  • Apps
  • Business
  • China
  • Consumer Tech
  • Culture
  • Enterprise
  • Futurism
  • Gadgets
  • Global
  • Internet
  • Startups
  • Hindi (हिन्दी)
  • Internet
  • Security

A bug in Microsoft’s Log-In system left users susceptible of risk

  • 2 minute read
Like
Share
Tweet
Share
Like
windows 7, windows
Up next
China does it again, makes facial scan mandatory for availing telecom services
Published on 02 December 2019, 23:21 Asia/KolkataUpdated on 03 December 2019, 00:11 Asia/Kolkata
Author
Upneet Singh
Share article
Facebook
Twitter
Pinterest
Mail

Microsoft has recently fixed a vulnerability in its log in system. This vulnerability could have caused a lot of users’ accounts being hacked.

The bug enabled hackers to steal ‘Tokens’ from a user’s device. Tokens are generated by a computing system to store passwords and eliminate the need of logging in every time. Each time you check a box that days ‘remember me’, a token is generated so the device can in fact, remember you. However, tokens also allow third party apps access to usernames and passwords so as to reduce redundancy.

Sahad Nk, an Indian bug hunter found that a Microsoft subdomain allowed him to take control of of it. He gained control of data generated by that subdomain completely.

Later, he found that many Microsoft apps had similar subdomains, that allowed him access to the ‘tokens’ generated by them.

‘Microsoft’s algorithm has left for the possibility for attacker’s access to these tokens. The user can be completely oblivious to the fact that he has been hacked.’ This was found by CyberArk, an Israeli cybersecurity company.

According to CyberArk, they have uncovered a lot of unregistered subdomains connected to some apps by Microsoft. These subdomains can become tools to access tokens that can put anyone who uses a Microsoft device(which is literally all of us) at risk. All these unregistered subdomains in hands of rogue hackers can be used to generate tokens that go directly to the hacker himself. Hackers use these subdomains by having the users click on a link in an email or on a website, and voila, your account has been hacked.

In other more serious cases, the hackers can also implement ways that require almost no participation on the user’s side. A malicious website hiding an embedded webpage could silently trigger the same request as a link in a malicious email to steal a user’s account token.

But due to Microsoft’s dedicated service team and the bug bounty hunters on the internet, a lot of these subdomains have been reported. Howerver, the threat still isn’t completely eliminated. Some subdomains can still be unaccounted for.

This bug was reported to Microsoft in October and it took around 3 weeks to fix it. “We resolved the issue with the applications mentioned in this report in November and customers remain protected,” said a Microsoft spokesperson.

Nk was later rewarded for his efforts.

Total
1
Shares
1
0
0
Upneet Singh

TOP STORIES
    • Microsoft
    • News
    Microsoft to shut down Wunderlist in favor of To Do in May 2020
    • December 10, 2019
    • Jeet Suthar
    • 2 minute read
  • Airtel Logo
    • Internet
    Airtel officially launches VoWi-Fi calling service in India
    • December 10, 2019
    • Jeet Suthar
    • 1 minute read
    • Code
    • Gadgetry
    Google’s Pixel phones will get a feature drop every month
    • December 10, 2019
    • Upneet Singh
    • 2 minute read
    • Gadgetry
    Samsung executives booked for accounting fraud
    • December 9, 2019
    • Upneet Singh
    • 2 minute read
    • China
    • Consumer Tech
    China looks to ban foreign hardware and software devices
    • December 9, 2019
    • Upneet Singh
    • 2 minute read
Search
  • Microsoft
  • News

Microsoft to shut down Wunderlist in favor of To Do in May 2020

Microsoft has confirmed its plan to shut down Wunderlist app on May…
  • Jeet Suthar
  • December 10, 2019
Airtel Logo
  • Internet

Airtel officially launches VoWi-Fi calling service in India

To take on its rival Reliance Jio, Bharti Airtel has now announced…
  • Jeet Suthar
  • December 10, 2019
  • Code
  • Gadgetry

Google’s Pixel phones will get a feature drop every month

Google has announced a feature drop service for it’s Pixel phones. This…
  • Upneet Singh
  • December 10, 2019
  • Gadgetry

Samsung executives booked for accounting fraud

A South Korean court has found three Samsung executives guilty on charges…
  • Upneet Singh
  • December 9, 2019
  • Hindi Edition (हिंदी में पढ़े)
  • About Us
  • Privacy Policy
  • Advertise With Us
©Copyright 2014-2019. Blue Box Media Private Limited (India). All rights reserved.