The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg.
However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system.
Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com.
Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline.com URL that contains 'wreply' parameter for specifying which domain the user wants to access.
How Does the Vulnerability Work?
If the particular user is already logged in, a POST request is made back to the domain specified in wreply with a value containing a login token for the user. The service the user wants to authenticate on consumes that token and logs the user in.
According to Whitton, the authentication URL provided by Microsoft is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The CSRF attacks could allow an attacker to create a malicious URL, which, when accessed by an already authenticated user, would send the login token to the attacker controlled server.
Now, with the help of the token, the attacker could gain complete access to the victim's account.
"The token is only valid for the service that issued it – an Outlook token can not be used for Azure, for example," Whitton noted in his blog post. "But it would be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."
The good news is that Microsoft patched the vulnerability within two days after Whitton reported it to the company on January 24. The company also paid out $13,000 to the researcher as part of its bug bounty program.