Cyber news

Microsoft Pays $24,000 Bounty to Hacker for Finding ‘Account Hacking’ Technique

October 8, 2015 10:03 AM

A security researcher has won $24,000 from Microsoft for finding a critical flaw in its authentication system that could allow hackers to gain access to a user’s complete Outlook account or other Microsoft services.

Microsoft’s is the authentication system that everyone go through while attempting to authenticate to and a large number of other Microsoft services, including OneDrive, Windows Phone, Skype, and Xbox LIVE.

Hacking Hotmail ( Account

It’s one account for all services. So, if say, Outlook wants to access other apps, it uses a standard set of authentication code calledOAuth.

OAuth is an open standard for authorization that keeps your passwords safe on third-party sites and instead of sharing your password, it shares a special key called ‘Access token’ to access the app.

OAuth authorizations are accomplished through a prompt, as shown below and to allow an app to gain access to your account, you need to click ‘ Yes’.

However, Synack security researcher Wesley Wineberg found an amazing hack that allowed him to bypass Microsoft’s OAuth protection mechanism using his malicious ‘proof-of-concept’ app, named ‘ Evil App.’

According to the technical details posted by security researcher, attacker’s malicious app can effectively gain access to everything in victim’s account just by tricking the victim into visiting a web page, which required no other user interaction.

Exploit Demonstration

You can watch the video demonstration below that shows the attack in work:

What’s more concerning about this vulnerability, according to Wineberg, is that it could have been exploited and abused by malicious hackers to create a nasty email worm.

“Using this as a targeted attack definitely has a high impact, but this is also the perfect type of vulnerability to turn into a worm,” Wineberg wrote. “A worm could easily email all of a user’s contacts, with something enticing…and spread to every user who clicks the link.”

However, Microsoft patched the vulnerability in mid-September and paid out a whopping $24,000 to Wineberg as part of Microsoft’s tech titan’s bug bounty program.

Earlier this week, Cybereason security researchers discovered more issues inMicrosoft’s Outlook app that affected business’ users.

Be secure…
AncusH S. Gaikwad

Published by ancushgaikwad

#Researcher #Professional Certified Ethical  Hacker #Speaker #Blogger #Software Developer #Cyber Forensic Investigator #bug bounty #Robotics & More.

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: