Microsoft has fixed a vulnerability in its login system, which security researchers say could have been used to trick unsuspecting victims into giving over complete access to their online accounts.
The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without requiring them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords.
Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could've been used to siphon off these account tokens used to access a victim's account — potentially without ever alerting the user.
CyberArk's latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and, as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user.
With the subdomains in hand, all an attacker would need is to trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen.
In some cases, the researchers said, this could be done in a "zero-click" way, which, as the name suggests, requires almost no user interaction at all. A malicious website hiding an embedded web page could silently trigger the same request as a link in a malicious email to steal a user's account token.
Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.
The security flaw was reported to Microsoft in late October and fixed three weeks later.
"We resolved the issue with the applications mentioned in this report in November and customers remain protected," said a Microsoft spokesperson.
It's not the first time Microsoft has acted to fix a bug in its login system. Almost exactly a year ago, the software and services giant fixed a similar vulnerability in which researchers were allowed to alter the records of an improperly configured Microsoft subdomain and steal Office account tokens.