Microsoft fixes login vulnerability

Weakness could have allowed hackers to take control of user accounts

Microsoft fixed a vulnerability within its login system that could have put scores of users at risk of having their accounts hijacked, security researchers said Monday.

Continue Reading Below

Researchers at Israeli cybersecurity company CyberArk said the vulnerability, associated with Microsoft Azure accounts and Microsoft's OAuth 2.0 applications, could have been used to trick users into giving attackers access to their online accounts.

And while the impact could have been "very powerful," in this particular case, researchers said there was little user could do.

The bug, which was reportedly addressed by Microsoft weeks after the company was alerted, would have allowed hackers to steal account tokens.

Account tokens, used by websites and applications, allow users to access their accounts without having to constantly re-enter their passwords. The vulnerability allowed for the creation of tokens, with the victim's permissions, which could let the hacker access and control the account, researchers said.

CALIFORNIA MAKING $50M A YEAR SELLING PERSONAL DATA: REPORT

Researchers said they have already found applications published by Microsoft that were vulnerable to this type of attack. The apps are automatically approved within any Microsoft account which means they don't require any user consent in order for attackers to exploit them, researchers explained.

In some cases, this could have been done in what researchers call a "zero-click" way meaning it didn't require user interaction.

PASSWORD DATA FOR 2.2M USERS OF CURRENCY AND GAMING SITES DUMPED ONLINE

"This vulnerability's attack surface is very wide and its impact can be very powerful. By doing nothing more than clicking or visiting a website, the victim can experience the theft of sensitive data, compromised production servers, lost data, manipulation of data, encryption of all the organization’s data with ransomware and more," researchers said Monday, who have already found applications published by Microsoft that are vulnerable to this type of attack.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

The flaw was alerted to Microsoft in October and was fixed weeks later, according to researchers.

"We resolved the issue with the applications mentioned in this report in November and customers remain protected," a Microsoft spokesperson told FOX Business Monday.

To prevent future vulnerabilities, researchers at CyberArk say users can do the following:

  1. Make sure that all the trusted redirect URIs configured in the application are under your ownership.
  2. Remove unnecessary redirect URIs.
  3. Make sure the permissions that the OAuth application asks for are the least privileged one it needs.
  4. Disable non-used applications.

CLICK HERE TO READ MORE ON FOX BUSINESS 

UPDATE: This article has been updated to include a comment from Microsoft.