The Inquirer reports that Wesley Wineberg of Synack Labs is the latest name to be added to the list. Wineberg has been recognised by Microsoft in its official hall of fame of award winners for his help in protecting its online services.
Wineberg began his research by analysing how an attack on Hotmail, now known as Outlook.com, would begin. He started by looking at the login process which runs on the server “login.live.com” and found there are “a lot of places that something could go wrong.”
After some digging around in Microsoft’s Live APIs, Wineberg found that a flaw in Microsoft’s token generation code meant he could obtain user consent to use their account in an app without them ever clicking “Yes” in the usual confirmation box that displays.
All he then had to do was build an “evil” app to acquire permissions to download email from a user’s account. The hack worked and allowed him to dump the contents of a user’s inbox to a website without them ever giving permission for the app to use their account.
Wineberg said of his discovery: “As an outside tester I have no idea how long this vulnerability may have existed, or if anyone ever tried to exploit it. At the same time, it is findings like this that definitely show the value of allowing outside testers to submit vulnerabilities to your company before attackers leverage them against you.”
He added that Microsoft was quick to respond to the issue after he alerted the company, praising their attitude towards security but warning that any organisation operating at scale should be prepared to find issues in their software. He wrote: “Microsoft is far ahead of most companies when it comes to security, and yet are still susceptible to issues like this one. Synack’s experience has been that vulnerabilities are uncovered even in seemingly well secured systems when a large group of outside researchers test that system. That is essentially the premise that Synack operates on, and is why more and more companies are offering their own bounty programs.”
The attack used the popular cross-site request forgery (CSRF) technique. It is based around the premise of making unauthorized requests to a server using permissions supposedly obtained directly from the user. It allows a hacker to execute commands on a user’s account because the server believes it is the authenticated account holder who is making the requests.
The issue is now fixed and users are no longer at risk. Because the spoofed consent form applied to the user’s entire Microsoft account, a hacker could have requested permissions to access any of the available features, including calendar appointments and contacts.
Wineberg completed his proof of concept attack on August 23 and reported it to Microsoft on August 25. The issue was acknowledged six days later and Wineberg received $24,000 on September 15, in part due to a double bounty promotion that Microsoft was running at the time.
