This Kerala-Based Hacker Uncovered A Microsoft Bug That Would Have Exposed 40 Crore Users

Major tech companies like Google and Microsoft do whatever they can to keep their product squeaky clean, but sometimes vulnerabilities slip through the cracks. That's why have bug bounties, offering cash incentives for reporting bugs in their software.

Sahad NK, who discovered the Microsoft bug

The latest big winner of a bug bounty program is Kerala-based Sahad NK. The security engineer received a cheque for exposing a series of vulnerabilities in Microsoft's code that would let an attacker hijack any Microsoft Outlook, Microsoft Store, or Office 365 account.

Sahad works as a contract researcher for cybersecurity platform Safetydetective.com. He came upon a set of vulnerabilities that, when chained together, could have put over 40 crore Microsoft user accounts at risk. And all they'd need to do for it would be to get the victim to click a single link.

Safetydetective contacted Microsoft with the find immediately, back in June. It wasn't until the end of November that the loopholes were fixed, which is why it's safe to talk about the breach point now.

The avenue of attack Sahad discovered was actually pretty ingenious. He discovered an old Microsoft URL, "success.office.com", that hadn't been properly configured. As such, he was able to take over the domain with relative ease. This allowed him to set up a fake Azure web app, and map it so he also receives any and all data sent to the subdomain.

That in itself wouldn't do much, but that's where the second vulnerability becomes important. You see, Office 365, Microsoft Store, and Outlook, all send authenticated login tokens to this success.office subdomain. These are tokens that can keep you logged into an app once you've signed in, or log you in across connected apps with a tap. Remember that Facebook breach a little while ago that used login tokens? It's the same concept.

So, when a user logs into Office 356 or other Microsoft app, their login token would leak over to the sub-domain under Sahad's control. Then, it's just a simple matter of sending over an official-looking email to the account name he's just received. Once you click that link, your Microsoft account is his playground.

The scariest part of this hack is that, while it relied on a click from your end, there's nothing to warn you that it's not an official Microsoft correspondence. In fact, Safetydetective says even your antivirus wouldn't be able to keep you safe in this situation.

Luckily though, Sahad NK is a hacker more interested in making money by keeping you safe online rather than exploiting you. Probably still a good idea not to get on his bad side though.