Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Bug Microsoft Security The Internet

A Bug In Microsoft's Login System Put Users At Risk of Account Hijacks (techcrunch.com) 20

Microsoft has fixed a vulnerability in its login system that could have been used to trick unsuspecting victims into giving over complete access to their online accounts. TechCrunch reports: The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without requiring them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords. Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could've been used to siphon off these account tokens used to access a victim's account -- potentially without ever alerting the user.

CyberArk's latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and, as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user. With the subdomains in hand, all an attacker would need is to trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen. [...] Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.

This discussion has been archived. No new comments can be posted.

A Bug In Microsoft's Login System Put Users At Risk of Account Hijacks

Comments Filter:
  • was accidental too?
  • Microsoft has security bugs? Noooooooooo, can't be, it's unprecedented.

  • by WoodstockJeff ( 568111 ) on Tuesday December 03, 2019 @08:28PM (#59482726) Homepage

    Given how many times people with Office365 accounts send me malware attack messages each day, most of which involve files hosted on their Sharepoint or Onedrive accounts, I have to wonder what other holes have been exploited to compromise these accounts for the last few years.

  • No Excuse (Score:5, Insightful)

    by SirAstral ( 1349985 ) on Tuesday December 03, 2019 @08:31PM (#59482730)

    Login Systems have been around for a long time. Yes there are many bugs and just unforeseen issues but there have been so many that it is clear that security is still barely more than a passing requirement for systems.

    Even with revelations like this the industry is still moving full steam ahead with bio-metric authentication systems... proven to be failures time and time again.

    Security was never the objective... but finding a way to get people to sacrifice all of their bio-metric data is. Now, the industry will have a perverse incentive to leave the traditional forms of login insecure as getting hold of that sweet sweet bio metric data will be far more prize-worthy of pursuit. People are finally starting to get a bleak view of the future... and sadly it will still not be enough because they are going to accept far worse intrusions into their lives under the guise of some farce that their security is being taken seriously.

    We can do better, we can do so much better, but we are too far down the rabbit hole to get back the way we came. There is just too much money at stake now.

    • Login Systems

      That's like saying "computers" have been around for a long time so we expect "computers" to be bug free. It's an absurd statement that ignores the fact that "login systems" have changed dramatically over time and that the way authentication is handled currently has little to nothing to do with what you knew in the past.

      Security was never the objective... but finding a way to get people to sacrifice all of their bio-metric data is.

      And here you've outed yourself as having no idea about "login systems". Pretty much no consumer based bio-metric system is collects data in any kind of a standard way to make it useful as "bi

  • by roc97007 ( 608802 ) on Tuesday December 03, 2019 @09:34PM (#59482828) Journal

    Must be Tuesday.

  • by kriston ( 7886 ) on Tuesday December 03, 2019 @10:08PM (#59482902) Homepage Journal

    Do they accept passwords with >16 characters yet?

    I discovered this after the Azure Portal was redesigned. I had a very long password for years and it stopped working until I chopped off the last 8 characters.

    I asked Support and they said "it's always been 16 characters; we just enforce it now."

    • Why don't we have the browsers pepper and hash passwords before sending them to the server, which would then hash them again? This would mean any bugs that make passwords show up in logs and such would display passwords only applicable to that website.

      It would also allow the user to enter any weird characters to their heart's desire, as well as allow for infinitely long passwords without regards to the size of the resulting POST to the server.

      Suddenly, there's no reason to limit anything about passwor
  • by notdecnet ( 6156534 ) on Tuesday December 03, 2019 @11:01PM (#59483012)
    Microsoft accidentally left open a loophole that hard-coded unregistered domain names into its apps. Come off it, do they take us for complete fools. And it was found by an Israeli cybersecurity company. I figure the knowledge was already leaked to the hacker community and this was the Microsoft way of pleading plausible deniability.
    • This was probably yet another "paid for backdoor". Generally the backdoors which the various The Letter Agencies pay Microsoft to install in their software get exposed. Some get found quicker that others. And Microsoft usually pleads incompetence as a defense rather than admit they were paid to install the security hole in the first place.

      • I presume Microsoft has a code registry, and can see who authored, and checked in the offensive code. Security should find out and fire the creeps - and no stock options - citing reputational damage and more. But wait - this bug is unlikely to become a witch hunt - which says something.
    • by DarkOx ( 621550 )

      Hard to say. At first blush the reaction is why would hard code a trust list like that where you don't control the trusted assets, ie domains that in the strictest sense are controlled by a third party even if you 'own' them. How did that make it thru a code review?

      On the other hand a parameterized list is something that attackers would target. Just like they often try to do things like slip their evil CA cert into the machines trust store. Mass market commercial software has some special concerns the appl

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...