Microsoft Fixes DOM XSS Flaw in Surface Domain After Being Notified by Expert

Security researcher Mirza Burhan Baig has been acknowledged for his work

By on December 18th, 2012 09:00 GMT

Independent security researcher Mirza Burhan Baig, who is currently working with, has managed to identify a DOM-based cross-site scripting (XSS) vulnerability on Microsoft’s Surface webpage.

“Microsoft fixed that issue one day after I report it to them. I just emailed the details to their security department at, then they gave me a case ID and a case manager who coordinated the fix with me,” the researcher told me in an email.

The researcher has provided several screenshots (available bellow) which demonstrate the existence of the security hole.

For his findings, Microsoft has listed him on the company’s “Security Researcher Acknowledgments for Microsoft Online Services” page.

DOM-based XSS is an attack in which the payload is executed as a result of modifications made to the DOM environment, which make the client-side code to be executed in an “unexpected” manner.

The targeted page isn’t changed in these attacks, but the client-side code contained in the page is run differently because of the malicious modifications.

Vulnerability on Microsoft's Surface page (5 Images)

Gallery Image
Gallery Image
Gallery Image
Gallery Image
Gallery Image