STE WILLIAMS

Synack senior security researcher Wesley Wineberg has received US$25,000 from Microsoft for quietly disclosing a bug that allows any Hotmail account to be hijacked.

The cross-site request forgery vulnerability means that any user visiting a malicious page can have their accounts hijacked without further interaction.

The since-patched hole existed in Microsoft Live.com and could have been spun into a dangerous worm, Wineberg says.

“With IMAP and contact book access, a worm could easily email all of a user’s contacts – or at least the ones who use Hotmail, Outlook.com – with something enticing, ILOVEYOU virus -style, and spread to every user who clicks the link,” Wineberg says.

“The only prerequisite was that the victim was logged in and had a valid session token in their cookie.

“This CSRF lets me bypass the user interaction step of the OAuth authentication system.”

Wineberg created a proof-of-concept application that could hijack sessions and showcased it in a video.

He says the vulnerability is merely a “classic” cross-site request forgery that happens to exist in a critical authentication area.

The hacker says Microsoft’s other APIs encountered in regular login appear secure. ®

Sponsored:
Analyzing the economic value of IBM FlashSystem

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/10/09/hotmail_hijack_hole_earns_boffin_25k_double_bug_bounty_trouble/