Independent security researcher Mirza Burhan Baig, who is currently working with blackbitz.net, has managed to identify a DOM-based cross-site scripting (XSS) vulnerability on Microsoft’s Surface webpage.
“Microsoft fixed that issue one day after I report it to them. I just emailed the details to their security department at email@example.com, then they gave me a case ID and a case manager who coordinated the fix with me,” the researcher told me in an email.
The researcher has provided several screenshots (available bellow) which demonstrate the existence of the security hole.
For his findings, Microsoft has listed him on the company’s “Security Researcher Acknowledgments for Microsoft Online Services” page.
DOM-based XSS is an attack in which the payload is executed as a result of modifications made to the DOM environment, which make the client-side code to be executed in an “unexpected” manner.
The targeted page isn’t changed in these attacks, but the client-side code contained in the page is run differently because of the malicious modifications.