Microsoft has fixed a vulnerability in its login system, a security flaw that security researchers say could have been used to trick secure victims into giving hackers full access to their online accounts.
This vulnerability allowed attackers to quietly steal account codes, which sites and apps use to give users access to their accounts without having to constantly re-enter their passwords. These tokens are generated by an application or website instead of a user name and password after the user logs on. This keeps the user logged on to the site but also allows users to access third-party apps and sites without having to directly deliver their passwords.
Researchers at Israel’s cyber security company CyberArk found that Microsoft had left an unintended vulnerability open, which, if exploited, could have been used to steal account codes used to access the victim’s account. Absolutely.
The site TechCrunch exclusively in the technical affairs of the company (Cyber Ark) that it found in its latest research dozens of unregistered subdomains related to a few applications designed by Microsoft. These internal applications are highly reliable, so associated subdomains can be used to generate access codes automatically without the explicit consent of the user.
With subdomains at hand, an attacker only needs to trick an unexpected victim into clicking a link created specifically for this purpose in an email or on a website, and the token can also be stolen.
In some cases, the researchers said this could be done in a “zero-click” method, whose name indicates that it requires virtually no user interaction. A malicious website that hides an embedded Web page can trigger the same request as a link in a malicious e-mail message to steal the user account token.
Fortunately, the researchers have registered as many subdomains as they can find from vulnerable Microsoft applications to prevent malicious abuse, but they warned there could be more.
It is noteworthy that the security company informed Microsoft of the vulnerability in late October last, has been repaired after about three weeks. “We have solved the problem with the applications mentioned in this report in November and customers are still protected,” a company spokesman said.
This is not the first time that Microsoft has rushed to fix a vulnerability in its login system. Almost a year ago, the software and services giant fixed a similar security vulnerability that would have stolen Office application account codes.
Source : TechCrunch