Microsoft’s login system bug puts users at risk of hijacking

Microsoft’s security system has fixed a vulnerability in the login system that can be used to trick unsuspecting victims into granting full access to their online accounts.

This bug allowed an attacker to quietly steal account tokens that websites and apps use to grant users access to accounts without constantly retyping passwords. This token is generated by the app or website instead of the username and password after the user logs in, which allows the user to continuously log in to the site but can access third-party apps and websites without having to touch the user directly. Are through their passwords.

A researcher at Israel’s cybersecurity company CyberArk said that Microsoft accidentally opened a loophole that could be used to remove these account tokens, which could be used to access a victim’s account without potentially notifying the user if the vulnerability was exploited Found

CyberArk’s latest study, shared exclusively with TechCrunch, found dozens of unregistered subdomains linked to a handful of apps built by Microsoft. These in-house apps are highly reliable, allowing you to automatically generate access tokens using the relevant subdomain without your explicit consent.

If there is a subdomain, an attacker can simply steal the token by tricking an unsuspecting victim into clicking on a specially crafted link in an email or website.

In some cases, the researcher can be done in a “zero click” manner, and as the name suggests, little user interaction is required. Malicious websites that hide embedded web pages can automatically trigger the same requests as links in malicious emails to steal your account tokens.