Friday, 9 October 2015

Serious Leak Showed Hacker Account-Hijacking

Microsoft has a vulnerability in the login mechanism for poem allow an attacker accounts of the webmail service, and possibly other Microsoft services could hijack. Just visiting a malicious website or see getting a malicious ad with a login account for this was sufficient, says researcher Wesley Wineberg of security SYNACK.

He discovered on August 23, the vulnerability in the login mechanism of and now has his research made ​​ the authentication system that Microsoft uses to allow users to to log in and let other Microsoft services. The problem Wineberg encountered is called cross-site request forgery (CSRF). These are performed in a user's name unauthorized actions.

Owners of a Microsoft account, that is used, apps give access to certain things, such as the address book or profile information. The user must confirm this entry itself and also get to see exactly clear what the app will access it. Wine Berg developed an attack in which CSRF is used to carry out this operation in the user's name.

In this case, the user would grant permission to an app that was given full access to the account. The CSRF code would thereby be executed automatically when a user visits a malicious website logged by Microsoft or view a malicious ad got.After being informed three weeks, the vulnerability was later closed by Microsoft and Wineberg received a reward of $ 24,000.

No comments:

Post a Comment