Single Bug Affecting 400 million Microsoft Users

Microsoft Single bug leads to gain full account Takeover
A security researcher from security site SafetyDetective has discovered a security bug that affects almost every Microsoft users. Researcher Sahad NK found that one of the Microsoft subdomain (success.office.com) is having the DNS misconfiguration that makes it prone of Sub-domain Takeover.

Misconfiguration of DNS of office subdomain leads bug hunter to set up an Azure web app that pointed to the domain’s CNAME record, which maps domain aliases and subdomains to the main domain. By doing this, Nk not only takes control of the subdomain but also receives any and all data sent to it.

After taking control over Microsoft domain, NK chained another security bug, Improper Auth Check with it. As sub-domain that took by NK is having ".office.com" it acts as a wildcard, making it a trusted domain.
Now whenever users use Microsoft Office, Outlook, Store, and Sway apps they sign-in via login.live.com and login domain allows success.office.com as a valid redirect URL and sending the login tokens to this domain, which is controlled by NK.

After gathering the login tokens, NK just makes simple email and sends to users asking them to click on it. A user will surely click as the email originates from Microsoft valid domain i.e. success.office.com. As users click on the link, NK gets the valid Session Token, which allows him to bypass all OAuth measures.

By this NK can access any Microsoft user's account. This issue was reported to Microsoft security team by its Responsible Disclosure Program on June and it was fixed in November.
Read Also
Post a Comment