Microsoft patches severe account hijacking security flaw

A vulnerability exposing user accounts to hijacking was patched 48 hours after being reported.


Microsoft has taken only 48 hours to patch a critical account authentication flaw which allowed attackers to use harvested login tokens.

According to British security researcher Jack Whitton, the vulnerability could be exploited through phishing websites designed to harvest login tokens to later compromise user accounts and data.

In a blog post on Monday, the researcher said manipulating POST values could be used in attacks which impersonate users of Microsoft products.

The Redmond giant supports a number of online services, ranging from Outlook email to Azure. When users wish to access these services, they need to input their credentials and a POST request is sent through the 'wreply' value in the domain's address, complete with a login token for the user in question. The token is then used and consumed through the login process.

Cookies are not used to authenticate as each service is hosted on a separate domain. Therefore, only a token is required -- and if this value can be punted to an attacker's server, the user can be impersonated and the token used to log in as the victim in a cross-site forgery attack.

The researcher found that by tweaking URL-coding parameters and parsing URLs, he was able to bypass different filters which are meant to prevent authentication errors.

This root cause of the bug allows attackers to specify an arbitrary URL to POST authentication tokens, and so if an attacker has gained this data through a fake website or phishing, they can gain complete access to a user account.

While the token is only valid for the service which issued it, such as Outlook rather than Azure and vice versa, the researcher says it would be a simple matter to create multiple hidden iframes with login URLs set to different services in order to harvest multiple tokens.

Whitton reported the security issue to Microsoft on Sunday 24. By the end of the day, Microsoft's security team had acknowledged the flaw and were able to issue a fix on Tuesday 26.

"This was quite a fun CSRF to find and exploit," Whitton said. "Despite CSRF bugs not having the same credibility as other bugs, when discovered in authentication systems their impact can be pretty large."

Read on: Top picks