Microsoft patches Windows Live identity theft flaw

Microsoft recently fixed an XSS flaw in its Windows Live service that allowed an attacker to steal victims' online identities. The vulnerability was disclosed by two security researchers from Morocco.

Microsoft patches Windows Live identity theft flaw

21-year-old Abdeljalil S'hit and 23-year-old Yasser Aboukir recently discovered a serious vulnerability in Microsoft's Windows Live service. The two young security researchers from Morocco responsibly reported it to the software giant even though the company does not provide any compensation for doing so.

The vulnerability in question leveraged Cross-Site Scripting (XSS) to execute a malicious script. More specifically, the two researchers managed to cause an error on the Windows Live login page (as you can see above), and once the victim clicked on the "Continue" button, their malicious script would be executed.

The XSS flaw meant that an attacker could impersonate a Windows Live user by gaining full control of the victim's cookies. Combined with social engineering, this technique could be used to steal a victim's Windows Live identity with ease. Aboukir informed me that the vulnerability was described as "critical" by the Microsoft Security Research Center (MSRC).

While the MSRC was internally investigation the issue, the two young men were asked to respect Microsoft's coordinated vulnerability disclosure guidelines and not report the issue publicly until it could be addressed. Apparently, it took Microsoft three months to come up with a patch.

"We have created a code change to address the issue and are now testing the changes," a Microsoft spokesperson told the duo. "Because changes to the site may affect a large number of users the testing requirements prior to production release are lengthy. Based on the testing schedule and barring any significant regressions the team expects to release an update into production in early May."

Aboukir tells me, however, that the issue was not completely resolved until mid-June. Now that it has been, however, he felt comfortable to share his story with me. He also noted: "You are the first to be contacted about this issue. This 0day was fixed according to responsible disclosure ethics and was not communicated for any third party."

Aboukir describes himself as "a fresh graduated engineer specialized on information security." He described his friend as a "Computer Science engineering student." Both have been featured on Microsoft's list of June 2012 Security Researchers for properly disclosing a valid flaw to Redmond. There is no doubt in my mind that the two have a bright future ahead of them.

As for the issue at hand, I have contacted Microsoft for a statement and will update you if I hear back.

Update at 11:00PM PST - "We quickly addressed the vulnerability in question to help keep customers protected and appreciate the researchers using Coordinated Vulnerability Disclosure to assist in us working toward a fix in a coordinated manner," a Microsoft spokesperson said in a statement.

See also: