[German]There were several vulnerabilities at Microsoft that, when combined, allowed an attacker to hijack any Microsoft Outlook, Microsoft Store or Microsoft Sway account. It was enough for the victim to click on a link. The vulnerabilities potentially affected 400 million users. The vulnerabilities have been fixed since November 2018.
I received the information by mail from Aviva Zacks. Aviva Zacks documented the topic in the SafetyDetective blog in the article Microsoft Account Takeover Vulnerability Affecting 400 Million Users.
Security investigation reveals critical vulnerabilities
Aviva Zacks writes that an initial security investigation, conducted by security researchers, found critical vulnerabilities in Microsoft accounts. The external security researcher Sahad Nk had been assigned this task. This bug bounty hunter and security researcher worked with SafetyDetective. The security researcher came across several vulnerabilities that allow an attacker to take over any Microsoft Outlook, Microsoft Store or Microsoft Sway account with a clever link. It is enough for the victim to click on a link.
Immediately after these vulnerabilities were discovered, SafetyDetective’s people contacted Microsoft through a vulnerability disclosure program and cooperated with the company. The vulnerabilities were reported to Microsoft in June and fixed in late November 2018. Although the vulnerability detection was only created for Microsoft Outlook and Microsoft Sway, security researchers believe that it affected all Microsoft accounts, including the Microsoft Store.
Bug #1: Subdomain Takeover (success.office[.]com)
The subdomain success[.]office[.]com referred with its CNAME entry to a Microsoft Azure Web App service. During a simple host check, the security researchers discovered that the application was no longer available. Therefore, they were able to take over the subdomain by registering an Azure web application called successcenter-msprod.
Bug #2: Improper OAuth check
The second vulnerability was an improper OAuth check. This is because accounts for Microsoft Outlook, the Store, and Sway make it possible to use the URL https[://]success[.]office[.]com as a valid “wreply” URL and use the logon token after successful authentication in the central logon system of login[.]live[.]com. It is assumed that this is done by a *.office.com wildcard check, which allows to trust all subdomains.
Even if the authentication initiator is outlook.com or sway.com, login.live.com allows https[://]success.office[.]com as the valid redirection URL and sends the login tokens to this domain. But exactly this domain was under control of the security researchers. This led to a token leak on the security researcher’s server.
The security researchers were able to exchange the token for a session token and log on to the victim’s account with the victim’s token without knowing a username/password. This makes it possible to bypass all OAuth and get a valid token. If a victim clicked on a link, the security researchers could take over the account.