Find a Question:
Microsoft rewards researcher with $ 13,000 for serious authenticatielek
Security Researcher Jack Whitton discovered a flaw in the authentication Outlook, Azure and Office, which could log an attacker user. Microsoft patched the leak within two days and Whitton rewarded with $ 13,000, converted 11,430 euros.
When logging is a parameter to the URL, which shows which site took login. On the basis of this server sends the token back to the original location, after the user is authenticated. Through a cross-site request forgery vulnerability Whitton could change the URL where the token was sent. This was possible because the server filtered input incorrectly.
That way Whitton had access to the service corresponding to the intercepted token, because he could pose as an authenticated user. The only restriction was that an Outlook token example, could not be used for Azure.Viewing:-128
Answer this Question
You must be Logged In to post an Answer.
Not a member yet? Sign Up Now »
Star Points Scale
Earn points for Asking and Answering Questions!