A vulnerability in Microsoft’s login system, which has now been fixed, could have fooled victims into providing hackers with complete access to their online accounts.

The vulnerability let attackers steal account tokens, which are used by apps and websites to allow their users to access their accounts without having to re-enter their login credentials. The tokens are created for a user so that they are always logged into the site, eliminating the need for the user to continually log in. The tokens also allow users to access third-party websites and apps.

CyberArk, a cybersecurity company, discovered that Microsoft left open an accidental loophole, which left a user’s account tokens vulnerable, potentially without them ever knowing. 

CyberArk also found dozens of unregistered subdomains connected to apps that were built by Microsoft.  These trusted, in-house apps could be used to generate access tokens automatically without any sort of consent from the user.

With these subdomains, all an attacker would have to do is trick their victim into clicking on an expertly crafted link in an email or on a website, and the token can be stolen.  There are even instance where attackers can hide an embedded web page in a malicious website that would trigger the same request as an email link would.  This would also steal the user’s account token.

This security flaw was reported to Microsoft back in October.  The company fixed the vulnerability three weeks later.

Story via TechCrunch