With Microsoft being one of the top technology giants in today’s age, you’d think their IT environments are one of the most secure. Recently, an Indian based vulnerability hunter Sahad Nk, discovered an exploit on Microsoft’s 365 login page, success.office.com. This sub-domain had not been properly configured and allowed Sahad to point the unconfigured sub-domain to his own Azure instance, using a CNAME record.
Digging further, Sahad figured out that the website, including their store and other sway apps, could be manipulated into sending authenticated login tokens. When logged in through the Microsoft’s Live system, all data would be sent to his own domain.
All Sahad would have to do is send over an email to any 365-user asking them to click a link, which would provide him with a valid session token that would allow him to login to the user’s account without needing a username and password. Since Nk had configured the CNAME record, the link would display as login.live.com – a valid url.
This bug had left countless accounts at risk, both consumer and enterprise. Microsoft noted to Tech Crunch recently that this case was mitigated in November of 2018, and the bug was re-mediated. And yes, Sahad was paid for his discovery!