London-based security researcher and bug hunter Jack Whitton has discovered a serious cross-site request forgery flaw affecting Microsoft’s authentication system for online services.
A successful exploitation of the vulnerability could allow attackers to collect users’ login tokens and use them to impersonate users on Microsoft’s services, but the good news is that the Redmond giant took only two days to plug the security hole once they knew about it.
“Microsoft, being a huge company, have various services spread across multiple domains (*.outlook.com, *.live.com, and so on). To handle authentication across these services, requests are made to login.live.com, login.microsoftonline.com, and login.windows.net to get a session for the user,” Whitton explained in a blog post.
Once the user submits valid login credentials, those last three domains return a POST request containing the login token for the user. The token is accepted by the service, and it logs in the user.
Whitton discovered that by playing around with URL-encoding parameters, he could bypass certain filters that spot authentication errors, and make that POST request (along with the login token) be sent to a site controlled by him. Simply replaying the token allowed him to access the user account.
Luckily for Microsoft, the issue was fixed with a simple rule change that ensures that the browser can only send POST requests to the intended host.
“This was quite a fun CSRF to find and exploit. Despite CSRF bugs not having the same credibility as other bugs, when discovered in authentication systems their impact can be pretty large,” noted Whitton.
He reported the issue to Microsoft in late January. His submission was acknowledged by the company on the “Honor Roll” page of their bug bounty program (in the Online Services section), and he received $13,000 for finding and pointing it out.