Home A bug in Microsoft’s login system left your Office account wide open to complete takeover

A bug in Microsoft’s login system left your Office account wide open to complete takeover

A massive bug in a Microsoft subdomain could have left your Microsoft account — from your Office documents to your Outlook emails — susceptible to hacking. An India-based security researcher and bug hunter, Sahad Nk, recently uncovered the vulnerabilities. It was a series of bugs which when chained together could allow access to someone’s Microsoft account.

A Microsoft bug could have exposed 400 million accounts

While working as a security researcher, Nk discovered that the Microsoft subdomain, success.office.com, wasn’t properly configured. He was, in fact, able to completely take over the subdomain. He used a CNAME record, a canonical record used to link one domain to another, to point the unconfigured subdomain to his own Azure instance. By doing this, Nk could control the subdomain, and any data sent to it.

That wouldn’t have been much of a problem on its own if there wasn’t this second major vulnerability.
Microsoft Office, Outlook, Store, and Sway apps send authenticated login tokens to the success.office.com subdomain. But Nk also found that these apps use a wildcard regex, allowing all office.com — including his newly controlled subdomain — to be trusted. This way, he could gain access to any Microsoft account simply by making the user click on a specially crafted link sent in an email. And because Nk has access on Microsoft’s side, that link would come in the form of a login.live.com URL. Not even the savviest of internet users and phishing detectors could suspect the URL.
If it were controlled by a malicious attacker, as many 400 million Office 365 users could have been exposed. Thankfully, Nk quickly reported the bug to Microsoft, which then fixed it.
Reportedly, the issues were previously discovered in June itself. They were eventually fixed in November before being remediated by Sahad Nk. He was able to do so by removing the CNAME record, a Microsoft spokesperson told to TechCrunch.
Microsoft paid out a bug bounty for Nk’s efforts.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.