The error on Microsoft's login system allows hackers to take control of any Office account
There are a number of vulnerabilities in Microsoft's login system that if hackers combine them, they can create a complete attack method that allows anyone to gain access to Microsoft accounts when they click. a scam link.
Sahad Nk, a bug hunting expert in India has captured "success.office.com" - a Microsoft subdomain after discovering that the domain name is not set according to the necessary standards.
Next Nk points the domain "success.office.com" into his Azure field via a CNAME record to control the subdomain and any data sent to it.
We also noticed that, after users log in via Microsoft Live login system, it is possible to 'trick' Microsoft Office, Store and Sway applications to send login credentials to your new domain. control. Having an authentication code means that someone's account login information is included, including a two-factor authentication account. This allows bad guys to easily penetrate users' accounts without being detected.
Earlier this year, Facebook also suffered a similar vulnerability and caused 30 million user accounts to leak.
However, the Microsoft vulnerability is even more dangerous, which can adversely affect countless accounts because bad guys can access any Office account, including those of businesses / entrepreneurs while users Still logged in through Microsoft system and almost impossible to trace the culprit.
Nk, with the help of Paulos Yibelo, sent a report about this vulnerability to Microsoft so they could fix it.
Microsoft confirmed this vulnerability in November 2018 and handled it by deleting the CNAME record that points to Nk's Azure field.
Because of this discovery, Microsoft awarded Nk a prize but it is unclear how much the reward is.
See more:
- Windows 10 October 2018 is new, Microsoft is forced to stop updating for some computers
- Microsoft PowerPoint is about to add annotations and subtitles in real time
- Microsoft developed Windows 10 Lite operating system, a small version that actually runs on mobile chips
You should read it
- Instructions for creating the fastest Microsoft account
- Already able to login to a Microsoft account without a password
- Instructions for renaming Microsoft account
- How to change the primary email address for a Microsoft account
- You can now manage your Microsoft and Office accounts right in the Settings of Windows 11
- How to login to a Microsoft account without a password
- How to Personalize Microsoft Office
- How to block adding Microsoft accounts to Windows 10
- How to create a Microsoft account
- Instructions for creating a Microsoft account for Windows Phone
- How to Install Microsoft Office
- How to revoke third-party access to a Microsoft account
Maybe you are interested
What is Microsoft Azure Certification?
Cybercriminals are using Microsoft Teams calls to commit fraud
Microsoft officially supports sharing files from iPhone to Windows using Phone Link application
Microsoft 365 Android PDF Viewer shows ads, even with subscription
10 Useful Table Formatting Tips in Microsoft Word
Here's everything Microsoft knows about your PC!