Microsoft has recently fixed a vulnerability in its log in system. This vulnerability could have caused a lot of users’ accounts being hacked.
The bug enabled hackers to steal ‘Tokens’ from a user’s device. Tokens are generated by a computing system to store passwords and eliminate the need of logging in every time. Each time you check a box that days ‘remember me’, a token is generated so the device can in fact, remember you. However, tokens also allow third party apps access to usernames and passwords so as to reduce redundancy.
Sahad Nk, an Indian bug hunter found that a Microsoft subdomain allowed him to take control of of it. He gained control of data generated by that subdomain completely.
Later, he found that many Microsoft apps had similar subdomains, that allowed him access to the ‘tokens’ generated by them.
‘Microsoft’s algorithm has left for the possibility for attacker’s access to these tokens. The user can be completely oblivious to the fact that he has been hacked.’ This was found by CyberArk, an Israeli cybersecurity company.
According to CyberArk, they have uncovered a lot of unregistered subdomains connected to some apps by Microsoft. These subdomains can become tools to access tokens that can put anyone who uses a Microsoft device(which is literally all of us) at risk. All these unregistered subdomains in hands of rogue hackers can be used to generate tokens that go directly to the hacker himself. Hackers use these subdomains by having the users click on a link in an email or on a website, and voila, your account has been hacked.
In other more serious cases, the hackers can also implement ways that require almost no participation on the user’s side. A malicious website hiding an embedded webpage could silently trigger the same request as a link in a malicious email to steal a user’s account token.
But due to Microsoft’s dedicated service team and the bug bounty hunters on the internet, a lot of these subdomains have been reported. Howerver, the threat still isn’t completely eliminated. Some subdomains can still be unaccounted for.
This bug was reported to Microsoft in October and it took around 3 weeks to fix it. “We resolved the issue with the applications mentioned in this report in November and customers remain protected,” said a Microsoft spokesperson.
Nk was later rewarded for his efforts.