Chain of flaws could result in Outlook, Store, and Sway account compromise
A chain of vulnerabilities left Microsoft user accounts open to takeover, new research reveals.
Working in partnership with independent antivirus review site, SafetyDetective, India-based security researcher Sahad Nk was able to take control of a misconfigured Microsoft subdomain, success.office.com, and thus whatever data was sent to it.
“The subdomain was pointing to a Microsoft Azure Web App service with its CNAME record,” reads a blog post from SafetyDetective, published earlier this week.
“During a simple host check, we realized the application was no longer up, and we were able to take over the subdomain by registering an Azure web-app with the name successcenter-msprod.”
After taking control of the subdomain, the researcher found that improper OAuth checks in Microsoft Outlook, Store, and Sway could enable an attacker to log in as the victim – albeit after they had clicked on a malicious link.
Even if the authentication initiator is outlook.com or sway.com, login.live.com is allowing https://success.office.com as a valid redirect URL and sending the login tokens to this domain we now control.
This resulted in a token leakage to our server. One can exchange this token for a session token and use the tokens to log in as the victim without knowing any username/password.
This is meant to bypass all the OAuth and get a valid token; when a victim clicks on the [malicious] link, we will be able to take over their account.
The flaws were disclosed to Microsoft back in June and were fixed last month.