The Hacker News Logo
Subscribe to Newsletter

Microsoft Pays $24,000 Bounty to Hacker for Finding 'Account Hacking' Technique

hacking-outlook-email
A security researcher has won $24,000 from Microsoft for finding a critical flaw in its Live.com authentication system that could allow hackers to gain access to a user’s complete Outlook account or other Microsoft services.

Microsoft's Live.com is the authentication system that everyone go through while attempting to authenticate to Outlook.com and a large number of other Microsoft services, including OneDrive, Windows Phone, Skype, and Xbox LIVE.

Hacking Hotmail (Outlook.com) Account


It’s one account for all services. So, if say, Outlook wants to access other apps, it uses a standard set of authentication code called OAuth.

OAuth is an open standard for authorization that keeps your passwords safe on third-party sites and instead of sharing your password, it shares a special key called 'Access token' to access the app.

OAuth authorizations are accomplished through a prompt, as shown below and to allow an app to gain access to your account, you need to click ‘Yes’.
hacking-microsoft-account
However, Synack security researcher Wesley Wineberg found an amazing hack that allowed him to bypass Microsoft’s OAuth protection mechanism using his malicious ‘proof-of-concept’ app, named 'Evil App.'

According to the technical details posted by security researcher, attacker's malicious app can effectively gain access to everything in victim's account just by tricking the victim into visiting a web page, which required no other user interaction.

Exploit Demonstration


You can watch the video demonstration below that shows the attack in work:
Microsoft Pays $24,000 Bounty to Hacker for Finding 'Account Hacking' Technique
What's more concerning about this vulnerability, according to Wineberg, is that it could have been exploited and abused by malicious hackers to create a nasty email worm.
"Using this as a targeted attack definitely has a high impact, but this is also the perfect type of vulnerability to turn into a worm," Wineberg wrote. "A worm could easily email all of a user’s contacts, with something enticing…and spread to every user who clicks the link."
However, Microsoft patched the vulnerability in mid-September and paid out a whopping $24,000 to Wineberg as part of Microsoft's tech titan's bug bounty program.

Earlier this week, Cybereason security researchers discovered more issues in Microsoft's Outlook app that affected business' users.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.