Categories: Security

Microsoft Rapidly Patches Serious Phishing Flaw

Microsoft has taken only two days to fix a security bug that could have enabled attackers to take over the accounts of users logging into Internet-based services such as Outlook.com or Windows Live.

British programmer Jack Whitton reported the problem to Microsoft earlier this year, on Sunday, 24 January, and a fix was implemented on the following Tuesday. Whitton first made the bug public in a blog post over the weekend.

Faulty authentication

When a user already logged into a Microsoft service running on one domain, such as outlook.com, accesses another service running on another domain, such as live.com, the user is issued a token proving their identity, so that they don’t have to login a second time. T

he token is used because the services run on completely separate domains, meaning cookies wouldn’t function.

The security bug affected the way the tokens are authenticated, and meant a malicious user who captured a user’s token via a fake website could have used the token to gain “complete access to the user’s account”, in an attack type known as a cross-site request forgery (CSRF), Whitton wrote.

“Despite CSRF bugs not having the same credibility as other bugs, when discovered in authentication systems their impact can be pretty large,” he wrote.

An attacker would need different tokens to access services hosted on different domains, but Whitton speculated that multiple hidden iframes could be used to harvest the tokens of various services.

Phishing scams

Phishing is a growing problem, with Seagate, Snapchat and Airbnb recently affected by scams using the technique.

While Whitton’s bug affected Microsoft’s online services, Windows administrators are currently awaiting a fix for a mysterious bug called “Badlock” that also affects an open-source tool called Samba.

Microsoft and Samba engineers warned that the bug is serious and to expect a fix on 12 April, Microsoft’s next scheduled patching date, but didn’t give any further information in order to prevent attackers from developing an exploit before the patch becomes available.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

15 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

16 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

17 hours ago

NHS Scotland Confirms Clinical Data Published By Ransomware Gang

NHS Dumfries and Galloway condemns ransomware gang for publishing patients clinical data after cyberattack earlier…

18 hours ago

Fewer People Using Twitter After Musk Takeover – Report

Research data suggests fewer people are using Elon Musk's X, but platform insists 250 million…

21 hours ago

Julian Assange Wins Temporary Reprieve For US Extradition Appeal

US assurances required. Julian Assange handed a slender reprieve in fight against his extradition to…

23 hours ago