Microsoft rewards researcher with $ 13,000 for serious authenticatielek




Security Researcher Jack Whitton discovered a flaw in the authentication Outlook, Azure and Office, which could log an attacker user. Microsoft patched the leak within two days and Whitton rewarded with $ 13,000, converted 11,430 euros.

In a blog post describes Whitton that Microsoft uses for authenticating Outlook, Azure and Office several domains, such and If a user wants to log example in Outlook, it will be forwarded to one of those domains. Because it involves multiple domains, however, there can be no use of cookies. Therefore, Microsoft put a token to authenticate the user.

When logging is a parameter to the URL, which shows which site took login. On the basis of this server sends the token back to the original location, after the user is authenticated. Through a cross-site request forgery vulnerability Whitton could change the URL where the token was sent. This was possible because the server filtered input incorrectly.

That way Whitton had access to the service corresponding to the intercepted token, because he could pose as an authenticated user. The only restriction was that an Outlook token example, could not be used for Azure.


In: A Technology & Gadgets Asked By: [20342 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »