Mentioning in detail about this discovery, TechCrunch reported that the bug affected the apps integrated with Microsoft accounts.
The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords.A potential attacker could exploit the unregistered subdomains of these apps to create access tokens without users’ consent.
With the subdomains in hand, all an attacker would need is trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen.However, in some cases, the attacker would require no user interaction at all, as a website with a malicious image could serve the purpose.
They informed Microsoft of the flaw in October 2019. The tech giant has consequently confirmed deployment of a patch for it with November updates.
According to a Microsoft spokesperson’s statement to TechCrunch,
We resolved the issue with the applications mentioned in this report in November and customers remain protected.Recently, Microsoft has also addressed a spoofing vulnerability in Microsoft Outlook for Android. Exploiting the bug could allow an attacker to conduct cross-site scripting attacks in the context of the current user.
Take your time to comment on this news.