Given the spike in cybercrime where the end users are the most affected, most technology giants are always focused on keeping their platform or product secure to avoid any untoward cases.
Our internet footprint is extremely large and with everything getting online, we entrust a huge part of ourselves online.
To keep their products clean, tech giants have encouraged bug bounties and welcomed white hat hackers in the last decade.
This rewarding stance of companies has created a new line of hackers, who intend to discover cracks in the system and then inform the admin so that a patch can be applied. This way, the hackers aren't legally penalised for the unauthorised entry, but rewarded for being ethical.
© LinkedIn / Sahad NK
Sahad NK, who works as a security researcher with cybersecurity portal Safetydetective.com, came across multiple vulnerabilities that left over 400 million Microsoft users' accounts, from Office 365 to Outlook emails, open to intrusion.
When these vulnerabilities are chained together, an attacker can take over any Microsoft Outlook, Microsoft Store, or Microsoft Sway account simply via the victim clicking on a link.
"Immediately after finding these vulnerabilities, we contacted Microsoft via their responsible disclosure programme and started working with them," said Safetydetective on Tuesday. Microsoft was informed about the susceptibility in June and then a patch was in place by November.
"While the vulnerability proof of concept was only made for Microsoft Outlook and Microsoft Sway, we expect it to affect all Microsoft accounts including Microsoft Store," said Sahad.
A Microsoft operated subdomain "success.office.com" wasn't configured properly and the same bug was also found in Microsoft Office, Store and Sway products.
Since the subdomain belongs to Office.com, a majority of the safety tools like anti-virus and malicious link detectors failed to flag it as unsafe. Even when clicking the link, the user was transiting through an official Microsoft domain.
Sahad, along with a fellow researcher Paulos Yibelo, reported the bug to Microsoft who, after fixing the bug, awarded them with an unspecified amount as bug bounty.
"Anyone's Office account, even enterprise and corporate accounts, including their email, documents and other files, could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user," TechCrunch said.