Microsoft rewards researcher with $13,000 for serious authentication leak
Security researcher Jack Whitton discovered a leak in the authentication of Outlook, Azure and Office that allowed an attacker to log into user accounts. Microsoft patched the leak within two days and rewarded Whitton with $13,000.
In a blog post, Whitton describes that Microsoft uses different domains to authenticate Outlook, Azure and Office, such as login.live.com and login.windows.net. For example, if a user tries to log in to Outlook, they will be redirected to one of those domains. However, because it concerns several domains, cookies cannot be used. That’s why Microsoft uses a token to authenticate the user.
When logging in, a parameter is added to the url, which shows from which site the login took place. Based on that, this server returns the token to that original location after the user has been authenticated. Through a cross-site request forgery vulnerability, Whitton was able to modify the URL where the token was sent. This was possible because the server filtered the input incorrectly.
In this way, Whitton could access the service corresponding to the intercepted token by posing as an authenticated user. The only limitation was that an Outlook token could not be used for Azure, for example.