This bug could have allowed bad guys to take control of Micro Outlook, Microsoft Store, or Microsoft Sway accounts. Hackers would have taken over by just asking users to click on the link they put out.
How Sahad discovered the bug
Sahad found out the bug in a little inspection he conducted. He found that a Microsoft subdomain, success.office.com, was directing to Azure service with its CNAME record.
Kindly subscribe to our YouTube channel
Logically, Sahad then used a CNAME record in the Microsoft Azure Web service to link the Office domain to an unconfigured subdomain. Now Sahad had control of the Microsoft subdomain, success.office.com, and all the data that was sent to it.
According to Sahad, this wasn’t a much of a problem till he used another Microsoft vulnerability. This vulnerability made Microsoft apps send inputted login credentials to the domain he created. Microsoft Outlook and Store were all victims of this vulnerability.
The vulnerability Sahad used is called the wildcard regex. It asked those Microsoft apps to trust the subdomain he created, thus sending him the login credentials.
How would have this affected Microsoft accounts?
This bug undoubtedly could have enabled hackers take over millions of Microsoft accounts. But how? It’s quite simple. The bad guys would have made up a link that opens up the Microsoft login page.
When users log in through that link and create an access token (i.e. the “Remember me” in browsers), the token would be sent to the created subdomain. Thus, making the Microsoft account very vulnerable.
The most frightening thing is the link seemed very legitimate making it hard to discern anything wrong. Even the Microsoft servers wouldn’t be able to distinguish it. This was a very big potential threat to Microsoft users since it was just a normal Microsoft login page.
In a nutshell, anybody’s Office account could have been easily attacked. It didn’t matter whether it is an enterprise or corporate account. The nightmare was that it would have been an easy job to detect the legitimate users from the hackers. Thank to Sahad for reporting the bug and having Microsoft fix it.
Though, it has been fixed, we strongly suggest you change your passwords. Who knows? Maybe, Sahad wasn’t the first one to discover this flaw.