Jump to content

Please Disable Your Adblocker. We have only advertisement way to pay our hosting and other expenses.  

  • entries
    16,181
  • comments
    11
  • views
    302,808

A Kerala-Based Engineer Uncovered A Bug That Could Expose More Than 40 Crore Microsoft Accounts

Sign in to follow this  
ADMIN

21 views

Given the spike in cybercrime where the end users are the most affected, most technology giants are always focused on keeping their platform or product secure to avoid any untoward cases.

Our internet footprint is extremely large and with everything getting online, we entrust a huge part of ourselves online.

To keep their products clean, tech giants have encouraged bug bounties and welcomed white hat hackers in the last decade. 

This rewarding stance of companies has created a new line of hackers, who intend to discover cracks in the system and then inform the admin so that a patch can be applied. This way, the hackers aren't legally penalised for the unauthorised entry, but rewarded for being ethical.

An Indian Engineer Just Helped Microsoft In A Big Way© LinkedIn / Sahad NK

Sahad NK, who works as a security researcher with cybersecurity portal Safetydetective.com, came across multiple vulnerabilities that left over 400 million Microsoft users' accounts, from Office 365 to Outlook emails, open to intrusion.

When these vulnerabilities are chained together, an attacker can take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link. 

An Indian Engineer Just Helped Microsoft In A Big Way© Reuters

"Immediately after finding these vulnerabilities, we contacted Microsoft via their responsible disclosure programme and started working with them," said Safetydetective on Tuesday. Microsoft was informed about the susceptibility in June and then a patch was in place by November.

"While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store," said Sahad.

An Indian Engineer Just Helped Microsoft In A Big Way© Safetydetective

A Microsoft operated subdomain "success.office.com" wasn't configured properly and the same bug was also found in Microsoft Office, Store and Sway products.

Since the subdomain belongs to Office.com, a majority of the safety tools like anti-virus and malicious link detectors failed to flag it as unsafe. Even when clicking the link, the user was transiting through an official Microsoft domain.

An Indian Engineer Just Helped Microsoft In A Big Way© Reuters

Sahad, along with a fellow researcher Paulos Yibelo, reported the bug to Microsoft who, after fixing the bug, awarded them with an unspecified amount as bug bounty.

"Anyone's Office account, even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user," TechCrunch said.

Source: TechCrunch

MeToo And The Sum Of Its Parts

Sign in to follow this  


0 Comments


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×