Microsoft this way managed to patch it in due time

Oct 9, 2015 09:28 GMT  ·  By

Wesley Wineberg, a security researcher at Synack, received a bug bounty of $24,000 from Microsoft after discovering and reporting to the company a critical vulnerability affecting Live.com services that could be used by cybercriminals to infiltrate into almost any account.

According to his own lengthy blog post where he provides technical details about how a successful exploit would work, Wineberg explains that it all started when he decided to take a closer look at Oauth, the authentication system that Outlook uses in order to allow users to configure their apps get emails that arrive in the inbox.

Wineberg managed to create a fake application that actually bypassed OAUth protection and thus was able to access the contents of any account freely. The next step was to inject this fake app into a website and then trick anyone holding an Outlook account to visit that page in order to deliver the code.

Worm stealing contacts and spreading malware

What's worse is that attackers using these hacks could get permanent access to compromised accounts, unlike the typical CSRF vulnerability exploits that only grants temporary access based on a valid session token in the cookies stolen from users' computers.

And that's not all the damage a hacker could have made. According to Wineberg, a traditional worm developed to take advantage of this vulnerability would be able not only to get into a hacked account, but also to steal all contacts and email them a message with an attached virus or malicious link, which could be used to spread more malware.

Contacts receiving the email might click the included links or open the attachments because they trust the source, so the malware can thus rapidly spread online.

The vulnerability was first discovered on August 23 and after only two days, Wineberg already reported it to Microsoft. On September 15, Microsoft not only that patched the security vulnerability, but it also paid the security researcher $24,000 as part of bug bounty program. Good guy, Microsoft.