A bug in Microsoft’s login system made it easy to hijack anyone’s Office account | TechCrunch


I’m tempted to say “The internet, how does it work?” but the truth is I wouldn’t have a clue, either. Seems like using a regex match against domain name is a Bad Idea, though.

And how did this bug get delivered? Emphasis on speed of delivery and human testing through the UI. “Looks good, ship it.” Which… is how all bugs get delivered, right? Less-careful developer + “hurry up and ship it”.

«Sahad Nk, an India-based bug hunter, discovered that a Microsoft subdomain, “success.office.com,” had not been properly configured, allowing him to take it over. He used a CNAME record, a canonical record used to link one domain to another, to point the unconfigured subdomain to his own Azure instance. In doing so, he controlled the subdomain — and any data sent to it, he said in a write-up, shared with TechCrunch prior to publication.

That wouldn’t be much of a problem on its own, but Nk also found that Microsoft Office, Store and Sway apps could be tricked into sending their authenticated login tokens to his newly controlled domain after a user logs in through Microsoft’s Live login system.

That’s because the vulnerable apps use a wildcard regex, allowing all office.com — including his newly controlled subdomain — to be trusted.»

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.