Home Security Vulnerability In Microsoft Login System Could Allow Account Hijacking

Vulnerability In Microsoft Login System Could Allow Account Hijacking

by ethhack

A serious security vulnerability existed in the Microsoft login system. Researchers who found this flaw suspected that exploiting the flaw could lead to account hijacking.

Microsoft Login System Vulnerability

Reportedly, researchers from Israeli security firm CyberArk have discovered a serious vulnerability in the Microsoft login system. Exploiting the vulnerability could allow account takeovers by potential attackers.

Mentioning in detail about this discovery, TechCrunch reported that the bug affected the apps integrated with Microsoft accounts.

The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords.

A potential attacker could exploit the unregistered subdomains of these apps to create access tokens without users’ consent.

With the subdomains in hand, all an attacker would need is trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen.

However, in some cases, the attacker would require no user interaction at all, as a website with a malicious image could serve the purpose.

Fix Already Deployed

The researchers, after finding the vulnerability, worked to register many of the subdomains associated with vulnerable Microsoft applications. Nonetheless, they feared that there could be more of such subdomains.

They informed Microsoft of the flaw in October 2019. The tech giant has consequently confirmed deployment of a patch for it with November updates.

According to a Microsoft spokesperson’s statement to TechCrunch,

We resolved the issue with the applications mentioned in this report in November and customers remain protected.

Recently, Microsoft has also addressed a spoofing vulnerability in Microsoft Outlook for Android. Exploiting the bug could allow an attacker to conduct cross-site scripting attacks in the context of the current user.

Take your time to comment on this news.

The following two tabs change content below.
Avatar
Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Source link

Related Articles

Leave a Comment