Bug bounty hunter Sahad Nk recently uncovered a series of vulnerabilities that left Microsoft users’ accounts — from your Office documents to your Outlook emails — susceptible to hacking.
While working as a security researcher with cybersecurity site SafetyDetective,Watch Dark Desire Season 1 Online Nk discovered that he was able to take over the Microsoft subdomain, http://success.office.com, because it wasn’t properly configured. This allowed the bug hunter to set up an Azure web app that pointed to the domain’s CNAME record, which maps domain aliases and subdomains to the main domain. By doing this, Nk not only takes control of the subdomain, but also receives any and all data sent to it.
This is where the second major vulnerability comes into play.
Microsoft Office, Outlook, Store, and Sway apps send authenticated login tokens to the http://success.office.comsubdomain. When a user logs in to Microsoft Live, login.live.com, the login token would leak over to the server controlled by Nk. He would then just have to send over an email to the user asking them to click a link, which would provide Nk with a valid session token — a way to log in to the user’s account without even needing their username or password. And, because Nk has access on Microsoft’s side, that link would come in the form of a login.live.com URL, bypassing phishing detection and even the savviest of internet users.
According to SafetyDetective, the issues were reported to Microsoft in June. They were fixed just last month, in November.
Topics Cybersecurity Microsoft
(Editor: {typename type="name"/})
What cracked the Milky Way's giant cosmic bone? Scientists think they know.
Jeff Bezos, Cardi B, Gordon Ramsay star in Amazon's new Super Bowl ad
Disneyland's animatronic Ursula lost her head mid
How Alexa, your computer, and even your sex robot can affect your love life
Fritz vs. Ruud 2025 livestream: Watch Madrid Open for free
Best Sony headphones deal: Over $100 off Sony XM5 headphones
SAVE OVER $100: Sony WH-1000XM5 headphones are on sale for $298 at Amazon. This deal saves you over
...[Details]
An ode to the delightfully unhinged Lisa Frank Facebook page
More than a year ago, I made the impulsive decision to delete the Facebook app from my phone. Friend
...[Details]
Maisie Williams denies reports that she let slip the 'Game of Thrones' S8 air date
If you happen to be a star in Game of Thrones, interviews -- pretty much anyinterview, even if it's
...[Details]
Chrissy Teigen, John Legend donate $200,000 on behalf of U.S. gymnasts
Chrissy Teigen and John Legend have shown their solidarity for the #MeToo movement by donating $200,
...[Details]
Meta continues its submission to Trump with new advisor on its board
In a move unsurprising to those following Meta CEO Mark Zuckerberg's political affiliations, the tec
...[Details]
'Metropolis' is a new TV series set before Superman becomes Superman
DC is giving fans the one thing that nobody has been asking for: more Superman, without Superman.DC
...[Details]
Disneyland's animatronic Ursula lost her head mid
Seems like Ursula is over her job. On Sunday, Disney fans were treated to a terrifying -- and hilari
...[Details]
What to watch instead of 'Teleprompter Trump's' State of the Union
Once upon a better time, watching the State of the Union address each year was considered a civic du
...[Details]
Best Sony deal: Save $100 on WH
SAVE $100:As of April 22, the Sony WH-1000XM4 headphones are on sale for $248 at Amazon. That's 29%
...[Details]
Samsung Galaxy S9 might come with enhanced face recognition
Samsung's facial recognition feature might become a little less wonky in the next iteration of the c
...[Details]
Waymo data shows humans are terrible drivers compared to AI
Jamie Lee Curtis shared her first photo from the new 'Halloween' movie set
接受PR>=1、BR>=1,流量相当,内容相关类链接。