A serious security vulnerability existed in the Microsoft login system. Researchers who found this flaw suspected that exploiting the flaw could lead to account hijacking.
Microsoft Login System Vulnerability
Reportedly, researchers from Israeli security firm CyberArk have discovered a serious vulnerability in the Microsoft login system. Exploiting the vulnerability could allow account takeovers by potential attackers. Mentioning in detail about this discovery, TechCrunch reported that the bug affected the apps integrated with Microsoft accounts.
The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords.
A potential attacker could exploit the unregistered subdomains of these apps to create access tokens without users’ consent.
With the subdomains in hand, all an attacker would need is trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen.
However, in some cases, the attacker would require no user interaction at all, as a website with a malicious image could serve the purpose.
Fix Already Deployed
The researchers, after finding the vulnerability, worked to register many of the subdomains associated with vulnerable Microsoft applications. Nonetheless, they feared that there could be more of such subdomains.
They informed Microsoft of the flaw in October 2019. The tech giant has consequently confirmed deployment of a patch for it with November updates.
According to a Microsoft spokesperson’s statement to TechCrunch,
Hope this article helpful for you. Thank You
If You Appreciate What We Do Here On Hackonology, You Should Consider:
Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.
Let's be a part of Hacker's Community! Join our Hacking Team
We Are Indian We Are Great
We resolved the issue with the applications mentioned in this report in November and customers remain protected.